Threat Actor Profile
High
APT
Description
UNC2452 is a suspected Russian state-sponsored threat group responsible for the 2020 SolarWinds software supply chain intrusion.(Citation: FireEye SUNBURST Backdoor December 2020) Victims of this campaign include government, consulting, technology, telecom, and other organizations in North America, Europe, Asia, and the Middle East.(Citation: FireEye SUNBURST Backdoor December 2020) The group also compromised at least one think tank by late 2019.(Citation: Volexity SolarWinds)
Confidence Score
Known Aliases
UNC2452
NOBELIUM
StellarParticle
Dark Halo
Tags
mitre-attack
stix-2.1
intrusion-set
First Seen
Unknown
Last Updated
Unknown
Active Status
ActiveCreated
April 29, 2026
Indicators of Compromise
Loading IOCs…
IOC KQL for Sentinel
STIX Data
{'aliases': ['UNC2452', 'NOBELIUM', 'StellarParticle', 'Dark Halo'],
'created': '2021-01-05T15:34:11.066Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': '[UNC2452](https://attack.mitre.org/groups/G0118) is a '
'suspected Russian state-sponsored threat group responsible '
'for the 2020 SolarWinds software supply chain '
'intrusion.(Citation: FireEye SUNBURST Backdoor December 2020) '
'Victims of this campaign include government, consulting, '
'technology, telecom, and other organizations in North '
'America, Europe, Asia, and the Middle East.(Citation: FireEye '
'SUNBURST Backdoor December 2020) The group also compromised '
'at least one think tank by late 2019.(Citation: Volexity '
'SolarWinds)',
'external_references': [{'external_id': 'G0118',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/groups/G0118'},
{'description': '(Citation: FireEye SUNBURST Backdoor '
'December 2020)',
'source_name': 'UNC2452'},
{'description': '(Citation: MSTIC NOBELIUM Mar 2021)',
'source_name': 'NOBELIUM'},
{'description': '(Citation: CrowdStrike SUNSPOT '
'Implant January 2021)',
'source_name': 'StellarParticle'},
{'description': '(Citation: Volexity SolarWinds)',
'source_name': 'Dark Halo'},
{'description': 'FireEye. (2020, December 13). Highly '
'Evasive Attacker Leverages '
'SolarWinds Supply Chain to '
'Compromise Multiple Global Victims '
'With SUNBURST Backdoor. Retrieved '
'January 4, 2021.',
'source_name': 'FireEye SUNBURST Backdoor December '
'2020',
'url': 'https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html'},
{'description': 'Cash, D. et al. (2020, December 14). '
'Dark Halo Leverages SolarWinds '
'Compromise to Breach Organizations. '
'Retrieved December 29, 2020.',
'source_name': 'Volexity SolarWinds',
'url': 'https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/'},
{'description': 'Nafisi, R., Lelli, A. (2021, March '
'4). GoldMax, GoldFinder, and Sibot: '
'Analyzing NOBELIUM’s layered '
'persistence. Retrieved March 8, '
'2021.',
'source_name': 'MSTIC NOBELIUM Mar 2021',
'url': 'https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/'},
{'description': 'CrowdStrike Intelligence Team. '
'(2021, January 11). SUNSPOT: An '
'Implant in the Build Process. '
'Retrieved January 11, 2021.',
'source_name': 'CrowdStrike SUNSPOT Implant January '
'2021',
'url': 'https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/'}],
'id': 'intrusion-set--dc5e2999-ca1a-47d4-8d12-a6984b138a1b',
'modified': '2025-04-25T14:48:50.206Z',
'name': 'UNC2452',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': True,
'spec_version': '2.1',
'type': 'intrusion-set',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Katie Nickels, Red Canary',
'Matt Brenton, Zurich Insurance Group'],
'x_mitre_deprecated': False,
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_version': '1.1'}