analyst @ nohacky :~/threat-actors $
cat / threat-actors / darkhalo
analyst@nohacky:~/darkhalo.html
active threat profile
type nation-state
threat_level critical
status active
origin Russia
last_updated 2026-03-13
DH
darkhalo

DarkHalo

also known as: UNC2452 NOBELIUM SolarStorm

DarkHalo is a Russia-linked espionage cluster publicly tied to the SolarWinds Orion supply-chain intrusion and to earlier long-dwell compromises against a US think tank. The cluster matters because it demonstrated disciplined operational security, selective victim follow-on activity, and a strong focus on email-centric intelligence collection.

attributed origin Russia
suspected sponsor Russia Foreign Intelligence Service (SVR) attribution overlap
first observed 2019
primary motivation Strategic espionage
primary targets Government, technology, think tanks
known campaigns 3 major public incident clusters
mitre att&ck group G0016 (APT29 overlap)
target regions North America, Europe
threat level critical

Overview

DarkHalo is the name Volexity used for the actor it linked to multiple compromises involving a US-based think tank and, later, the SolarWinds Orion supply-chain intrusion. Public reporting subsequently aligned DarkHalo with the broader cluster tracked by other vendors and governments as UNC2452, NOBELIUM, SolarStorm, and APT29-linked SVR activity. For operational profiling purposes, DarkHalo is best understood as a highly capable Russian espionage cluster emphasizing stealth, selective follow-on exploitation, credential and session abuse, supply-chain access, and mailbox-focused intelligence collection rather than noisy mass disruption.

Target Profile

DarkHalo target selection is consistent with strategic intelligence collection priorities rather than broad criminal monetization. Public reporting ties the cluster to government agencies, think tanks, policy organizations, technology providers, and organizations that can provide privileged downstream access or sensitive diplomatic and policy insight.

  • Government: Government networks and agencies have been high-value targets because of the intelligence value of internal email, policy deliberations, and access to trusted partner relationships.
  • Think tanks and policy organizations: Volexity documented focused theft of email belonging to executives, policy experts, and IT staff, showing deliberate interest in policy and geopolitical research environments.
  • Technology and service providers: Supply-chain and third-party access patterns show interest in organizations that can extend operational reach into additional government or enterprise victims.

Tactics, Techniques & Procedures

Documented TTPs show an operator that favors stealth, trusted channels, and flexible access restoration. The table below focuses on well-supported techniques associated with the SolarWinds / UNC2452 / DarkHalo activity cluster.

mitre id technique description
T1195.002 Compromise Software Supply Chain SolarWinds Orion updates were backdoored to provide initial access to selected downstream victims through a trusted software channel.
T1078 Valid Accounts The cluster repeatedly abused legitimate credentials and authenticated access paths, including mailbox-focused operations and selective follow-on access.
T1550.004 Use Alternate Authentication Material: Web Session Cookie Volexity documented abuse of a Duo-related session context during OWA access, illustrating a focus on bypassing MFA-protected workflows without triggering normal prompts.
T1041 Exfiltration Over C2 Channel Public reporting described targeted email collection and exfiltration through established access paths rather than high-volume smash-and-grab data theft.

Known Campaigns

These entries focus on public operations and incident clusters that are either directly attributed to DarkHalo by Volexity or widely associated with the overlapping UNC2452 / NOBELIUM / APT29 activity cluster.

SolarWinds Orion Supply-Chain Intrusion 2020

Trojanized Orion software updates enabled covert access to selected downstream victims. Follow-on activity included selective victiming, mailbox access, stealthy command-and-control, and use of second-stage malware such as TEARDROP within the broader intrusion set.

Read full briefing
US Think Tank Multi-Incident Compromise 2019-2020

Volexity described three major incidents affecting a US-based think tank across 2019 and 2020, including long-term undetected access, re-entry via Microsoft Exchange Control Panel exploitation, and later compromise by way of SolarWinds Orion.

Read full briefing
NOBELIUM Follow-On Phishing and Cloud Operations 2021

Microsoft attributed later wide-scale phishing and cloud-focused operations to NOBELIUM, the same actor behind SolarWinds-related activity, showing that the cluster remained active after public exposure and continued targeting governments, think tanks, consultants, and NGOs.

Tools & Malware

The DarkHalo / UNC2452 / NOBELIUM cluster has been associated in public reporting with several malware and post-exploitation components used across SolarWinds-related and follow-on espionage operations.

  • SUNBURST: The backdoor inserted into compromised SolarWinds Orion builds to establish covert initial access through trusted software updates.
  • TEARDROP: A memory-resident loader associated with second-stage execution during the SolarWinds compromise and used to deploy further payloads such as Cobalt Strike.
  • GoldMax and related tooling: Microsoft later associated NOBELIUM with additional malware families and early-stage tooling used in post-SolarWinds operations.

Mitigation & Defense

Because this cluster combines supply-chain compromise, identity abuse, stealthy persistence, and mailbox-centric collection, resilient defense requires stronger trust-boundary validation and deep telemetry across identity, email, endpoint, and third-party software channels.

  • Harden software trust paths: Validate signed update channels, monitor high-trust management platforms, and treat unexpected child processes or network behavior from administration software as high-priority signals.
  • Strengthen identity telemetry: Monitor mailbox access, anomalous token and session behavior, impossible-travel patterns, legacy authentication, and unusual use of valid accounts across cloud and on-prem services.
  • Constrain privileged lateral movement: Segment administrative systems, reduce standing privilege, protect Exchange and identity infrastructure, and correlate endpoint, proxy, and email logs for low-noise long-dwell activity.
note

DarkHalo is best presented as a named vendor-tracking cluster rather than a permanently separate actor from APT29. MITRE ATT&CK currently treats Dark Halo, UNC2452, NOBELIUM, and SolarStorm as associated group names under APT29 (G0016), so analysts should be explicit about alias overlap when using the profile operationally.

Sources & Further Reading

Attribution and references used to build this profile.

— end of profile