diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 4ec3dc0..bba0fb6 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -13651,6 +13651,16 @@
       },
       "uuid": "f1d90b54-4821-41ff-8e07-ac650e0454b7",
       "value": "UNC2717"
+    },
+    {
+      "description": "UNC2659 has been active since at least January 2021. We have observed the threat actor move through the whole attack lifecycle in under 10 days. UNC2659 is notable given their use of an exploit in the SonicWall SMA100 SSL VPN product, which has since been patched by SonicWall. The threat actor appeared to download several tools used for various phases of the attack lifecycle directly from those tools’ legitimate public websites.",
+      "meta": {
+        "refs": [
+          "http://internal-www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html"
+        ]
+      },
+      "uuid": "697cb051-5315-4026-bf4c-553b49f817a9",
+      "value": "UNC2659"
     }
   ],
   "version": 295