Volt Typhoon actors rarely use post-compromise execution malware. Instead, once Volt Typhoon actors have access to target environments, they use hands-on keyboard activities via the command line and other native tools and processes on the systems (often called known) to maintain and extend access to the victim. Some “commands appear to be exploratory or experimental because operators (malicious actors) adapt and repeat them multiple times.” For Volt Performance Avis example, Volt Typhoon actors have been observed using Magnet RAM Capture version 1.20 on domain controllers. is a free imaging tool that captures a computer's physical memory, and Volt Typhoon actors likely used it to scan in-memory data for sensitive information (such as credentials) and data in transit, which are normally not accessible on the hard drive. https://www.triggercam.com/group/triggercam-group/discussion/37b42297-065a-42a2-a02e-cfc5335baf22
