1. Executive Summary

On December 4, 2025, the Cybersecurity and Infrastructure Security Agency (CISA) released a critical alert regarding UNC5221, a China-nexus state-sponsored actor. This group has been observed utilizing a sophisticated backdoor known as BRICKSTORM to target public sector and information technology infrastructure.

I have analyzing a specific artifact associated with this campaign, a Linux ELF binary masquerading as a PostgreSQL update utility (pg_update.elf). The pg_update.elf isn't a standard PostgreSQL command or file, likely pretending pg_upgrade of PostgreSQL to perform rapid upgrades by creating new system tables and simply reusing the old user data files.

This report serves as an enrichment to the official CISA disclosure, offering a granular look at the backdoor's technical construction, evasion mechanisms, and indicators of compromise (IoCs).

2. The UNC5221/UTA0178 Profile

Before dissecting the binary, it is crucial to understand the adversary. UNC5221 is a suspected PRC-state-sponsored actor known for persistent espionage campaigns.

• Targeting: The group focuses on the public sector, critical infrastructure, and IT service providers.
• Modus Operandi: They are heavily invested in "Living off the Land" (LotL) techniques and exploiting edge infrastructure.

Threat Actor Details:

3. Technical Analysis: The Artifact (pg_update.elf)

The sample analyzed for this report masquerades as a legitimate database maintenance tool. This social engineering tactic suggests the threat actors are specifically targeting database servers.

3.1 Techniques details

File and Directory Permissions Modification

• T1027 (Obfuscated Files or Information)
• Linux and Mac File and Directory Permissions Modification ( T1222.002) Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files. File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.). Most Linux and Linux-based platforms provide a standard set of permission groups (user, group, and other) and a standard set of permissions (read, write, and execute) that are applied to each group. While nuances of each platform's permissions implementation may vary, most of the platforms provide two primary commands used to manipulate file and directory ACLs: chown (short for change owner), and chmod (short for change mode). Adversary may use these commands to make themselves the owner of files and directories or change the mode if current permissions allow it. They could subsequently lock others out of the file. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via Unix Shell Configuration Modification or tainting/hijacking other instrumental binary/configuration files via Hijack Execution Flow. Warning: Modifies file or directory owner > /usr/bin/sudo /usr/bin/chown sudo chown user /home/user/Desktop/pg_update.elf chown user /home/user/Desktop/pg_update.elf

3.2 Static Properties & Obfuscation

The payload is a 64-bit ELF executable targeting the x86–64 architecture. My static analysis revealed immediate red flags regarding how the binary was built to hinder analysis.

• File Name: pg_update.elf
• File Size: ~8.23 MB
• Compiler: Go
• Obfuscation: Stripped Symbols: The binary is stripped, meaning debugging symbols (variable names, function names) have been removed. Static Linking: It is statically linked, incorporating all necessary libraries into the file itself. This increases the file size and complexity for analysts trying to isolate malicious code from standard libraries. Modified Headers: The section headers appear modified or stripped, a clear anti-reverse engineering technique mapped to MITRE ATT&CK T1027 (Obfuscated Files or Information).

3.3 Execution Flow and System Modification

Upon execution, the malware attempts to entrench itself and modify system attributes. Based on behavioral logs and sandbox detonation, pg_update.elf does not act passively.

Privilege and Ownership Manipulation: The malware explicitly attempts to modify file ownership and permissions to ensure execution persistence.

• It utilizes sudo and chown to change the owner of pg_update.elf to the root user or specific target users.
• It utilizes chmod +x to ensure the binary has executable permissions.
• Process execution observed: /bin/sh -c sudo chown user /home/user/Desktop/pg_update.elf.

System Service Interaction: The malware interacts with various Linux subsystems, likely for reconnaissance or persistence:

• CUPS (Common Unix Printing System): It interacts with cups.service, checking if it is active or enabled. This is a common, often overlooked service that can be exploited for persistence.
• Logging Daemon (rsyslog): The malware sends a HUP signal to rsyslog.service. This is highly suspicious and suggests an attempt to rotate logs or flush buffers, potentially to hide tracks or manipulate audit logs.

Files written:

• /dev/ptmx
• /dev/pts/0
• /dev/tty
• /var/log/auth.log.1.gz
• /var/log/kern.log.1.gz
• /var/log/syslog.1.gz

Files dropped:

• 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
• afa4699480d8c923c3bc93ebdc7712f1e8d982ab4628f80e39e75de1de6df90f
• eb72592561cb53ee335c91d4f3edf6bc1f903ad73f53ef33fde8950a4993f487
• /var/log/auth.log.1.gz
• /var/log/kern.log.1.gz
• /var/log/syslog.1.gz

Shell commands:

/bin/gzip

/sbin/runlevel

/usr/lib/rsyslog/rsyslog-rotate

invoke-rc.d — quiet cups restart

ls /etc/rc[S2345].d/S[0–9][0–9]cups

sh -c "\n\t\tinvoke-rc.d — quiet cups restart > /dev/null\n" logrotate_script "/var/log/cups/*log "

sh -c /usr/lib/rsyslog/rsyslog-rotate logrotate_script /var/log/mail.info/var/log/mail.warn/var/log/mail.err/var/log/mail.log/var/log/daemon.log/var/log/kern.log/var/log/auth.log/var/log/user.log/var/log/lpr.log/var/log/cron.log/var/log/debug/var/log/messages

sh -c /usr/lib/rsyslog/rsyslog-rotate logrotate_script /var/log/syslog

systemctl — quiet is-active cups.service

systemctl — quiet is-enabled cups.service

systemctl kill -s HUP rsyslog.service

3.4 Network Communications

The network profile of the malware shows a mix of "noise" (standard Ubuntu connectivity checks) and targeted command and control (C2) traffic.

• C2 Domain: pcsdl[.]com
• C2 URL: http://pcsdl[.]com/short-url-v2/001273499579/scenario/b1b7aaa5bd4408a4d3003a9fabcdd041___3197b99a-f137-452c-ac81-01a9986c60a1.elf?protocol=http
• IP Address: 13[.]248[.]236[.]204
• Behavior: The malware performs HTTP requests. While the sandbox captured standard connectivity checks to ubuntu.com and snapcraft.io, the extraction of the pcsdl domain is the critical indicator linking this to the malicious infrastructure.

4. Detection & Hunting

For SOC analysts and Threat Hunters, detecting BRICKSTORM particulary pg_update.elf requires looking beyond simple hash matching. The following signatures and indicators should be implemented.

YARA Detection

From the pg_update.elf behavior that I have explained above, I have created the YARA Rule below.

rule Linux_BRICKSTORM_pg_update_Strict { meta: description = "Detects specific BRICKSTORM backdoor sample (pg_update.elf) used by UNC5221" hash_md5 = "b1b7aaa5bd4408a4d3003a9fabcdd041" hash_sha256 = "90b760ed1d0dcb3ef0f2b6d6195c9d852bcb65eca293578982a8c4b64f51b035" tlsh = "T158961A16FC9608EAC1FEE1308696937ABF7038A5833177E35F909A651675FD8693E300" severity = "High"

strings: $c2_domain = "pcsdl.com" ascii $path_log = "/var/log/auth.log.1.gz" ascii $uniq_pattern = "!#%')+-/13!#%')+-/13!#%')+-/13" ascii

condition: // Check for ELF Magic Header (0x7f454c46) uint32(0) == 0x464c457f and ( // Match exactly by Hash hash.sha256(0, filesize) == "90b760ed1d0dcb3ef0f2b6d6195c9d852bcb65eca293578982a8c4b64f51b035" or // OR Match by C2 and Unique Pattern ($c2_domain and $uniq_pattern) ) }

5. Indicators of Compromise (IoCs)

File Hashes:

• MD5: b1b7aaa5bd4408a4d3003a9fabcdd041
• SHA-1: b8eed63ab9cbdca494f26a6f66bfd4a0a693b3f0
• SHA-256: 90b760ed1d0dcb3ef0f2b6d6195c9d852bcb65eca293578982a8c4b64f51b035
• Telfhash: t1511320f197a835f0a165c91ad7b63470d67728f627e038f184367c62efa0f49186ac27

Network Indicators:

• Domain: pcsdl[.]com
• IP: 13[.]248[.]236[.]204

FileSystem Artifacts (Host-based):

• Filename: pg_update.elf (often found in /tmp/, /home/user/Desktop/, or masquerading in /opt/vmware/vpostgres/current/bin/).
• Dropped Files: /var/log/auth.log.1.gz (Modification timestamp anomalies) /var/log/syslog.1.gz Suspicious chmod or chown activity in auth.log targeting binary files in user directories.

6. References & Further Reading

• https://www.cisa.gov/news-events/alerts/2025/12/04/prc-state-sponsored-actors-use-brickstorm-malware-across-public-sector-and-information-technology
• https://www.cisa.gov/news-events/analysis-reports/ar25-338a
• https://cloud.google.com/blog/topics/threat-intelligence/brickstorm-espionage-campaign
• https://apt.etda.or.th/cgi-bin/showcard.cgi?g=UNC5221%2C%20UTA0178&n=1