Attackers use compromised legitimate websites to infect visitors; the malware then performs malicious activities. What is this attack called?

Attackers exploit trusted, legitimate websites that a target group visits, turning those sites into infection points. This is the essence of a watering hole approach: a site the victims already trust is compromised, and when they visit, malware is delivered and may run without the user doing anything. The option that best matches this scenario is the one describing compromised legitimate websites, because it directly captures the method of using trusted sites as the delivery vector for malware. This differs from spear-phishing, which uses fraudulent emails or pages to lure users to a site, and from the other items which refer to unrelated concepts. In watering hole attacks, drive-by downloads or exploits on the compromised page silently initiate the malicious activity.