Nylon Typhoon (formerly NICKEL) uses exploits against unpatched systems to compromise remote access services and appliances. Upon successful intrusion, they have used credential dumpers or stealers to obtain legitimate credentials, which they then used to gain access to victim accounts and to gain access to higher value systems. Nylon Typhoon actors have been observed creating and deploying custom malware that then allowed them to maintain persistence on victim networks over extended periods of time.