Skip to content

T1480.002 Mutual Exclusion

Adversaries may constrain execution or actions based on the presence of a mutex associated with malware. A mutex is a locking mechanism used to synchronize access to a resource. Only one thread or process can acquire a mutex at a given time.4

While local mutexes only exist within a given process, allowing multiple threads to synchronize access to a resource, system mutexes can be used to synchronize the activities of multiple processes.4 By creating a unique system mutex associated with a particular malware, adversaries can verify whether or not a system has already been compromised.2

In Linux environments, malware may instead attempt to acquire a lock on a mutex file. If the malware is able to acquire the lock, it continues to execute; if it fails, it exits to avoid creating a second instance of itself.15

Mutex names may be hard-coded or dynamically generated using a predictable algorithm.3

Item Value
ID T1480.002
Sub-techniques T1480.001, T1480.002
Tactics TA0005
Platforms Linux, Windows, macOS
Version 1.0
Created 19 September 2024
Last Modified 15 April 2025

Procedure Examples

ID Name Description
G0082 APT38 APT38 has created a mutex to avoid duplicate execution.22
S1070 Black Basta Black Basta will check for the presence of a hard-coded mutex dsajdhas.0 before executing.21
S1161 BPFDoor When executed, BPFDoor attempts to create and lock a runtime file, /var/run/initd.lock, and exits if it fails using the specified file, resulting in a makeshift mutex.5
S1236 CLAIMLOADER CLAIMLOADER has created hardcoded mutex to ensure only a single instance of the malware is running.1516
S1247 Embargo Embargo has utilized a hardcoded mutex name of “LoadUpOnGunsBringYourFriends” using the CreateMutexW() function.6 Embargo has also utilized a hardcoded mutex name of “IntoTheFloodAgainSameOldTrip.”7
S0168 Gazer Gazer creates a mutex using the hard-coded value {531511FA-190D-5D85-8A4A-279F2F592CC7} to ensure that only one instance of itself is running.20
S0632 GrimAgent GrimAgent uses the last 64 bytes of the binary to compute a mutex name. If the generated name is invalid, it will default to the generic mymutex.12
S1202 LockBit 3.0 LockBit 3.0 can create and check for a mutex containing a hash of the MachineGUID value at execution to prevent running more than one instance.11
S0013 PlugX PlugX has leveraged a mutex in its infection process.910
S0012 PoisonIvy PoisonIvy creates a mutex using either a custom or default value.14
S1242 Qilin Qilin can create a mutex to insure only one instance is running.8
S0496 REvil REvil attempts to create a mutex using a hard-coded value to ensure that no other instances of itself are running on the host.13
S1183 StrelaStealer StrelaStealer variants include the use of mutex values based on the victim system name to prevent reinfection.19
S0562 SUNSPOT SUNSPOT creates a mutex using the hard-coded value {12d61a41-4b74-7610-a4d8-3028d2f56395} to ensure that only one instance of itself is running.18
S1239 TONESHELL TONESHELL has created a mutex to avoid duplicate execution.16
S1196 Troll Stealer Troll Stealer creates a mutex during installation to prevent duplicate execution.17

Mitigations

ID Mitigation Description
M1055 Do Not Mitigate Execution Guardrails likely should not be mitigated with preventative controls because it may protect unintended targets from being compromised. If targeted, efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior if compromised.

References

  1. Joakim Kennedy and Avigayil Mechtinger. (2021, March 10). New Linux Backdoor RedXOR Likely Operated by Chinese Nation-State Actor. Retrieved September 19, 2024. 

  2. Lenny Zeltser. (2012, July 24). Looking at Mutex Objects for Malware Discovery & Indicators of Compromise. Retrieved September 19, 2024. 

  3. Lenny Zeltser. (2015, March 9). How Malware Generates Mutex Names to Evade Detection. Retrieved September 19, 2024. 

  4. Microsoft. (2022, March 11). Mutexes. Retrieved September 19, 2024. 

  5. Shaul Vilkomir-Preisman and Eliran Nissan. (2023, May 10). BPFDoor Malware Evolves – Stealthy Sniffing Backdoor Ups Its Game. Retrieved September 19, 2024. 

  6. Cyble. (2024, May 24). The Rust Revolution: New Embargo Ransomware Steps In. Retrieved October 19, 2025. 

  7. Jan Holman, Tomas Zvara. (2024, October 23). Embargo ransomware: Rock’n’Rust. Retrieved October 19, 2025. 

  8. Halcyon RISE Team. (2024, October 24). New Qilin.B Ransomware Variant Boasts Enhanced Encryption and Defense Evasion. Retrieved September 26, 2025. 

  9. Alexandre Cote Cyr. (2022, March 23). Mustang Panda’s Hodur: Old tricks, new Korplug variant. Retrieved September 9, 2025. 

  10. Secureworks Counter Threat Unit Research Team. (2022, September 8). BRONZE PRESIDENT Targets Government Officials. Retrieved September 9, 2025. 

  11. FBI et al. (2023, March 16). #StopRansomware: LockBit 3.0. Retrieved February 5, 2025. 

  12. Priego, A. (2021, July). THE BROTHERS GRIM: THE REVERSING TALE OF GRIMAGENT MALWARE USED BY RYUK. Retrieved September 19, 2024. 

  13. SecureWorks 2019, September 24 REvil/Sodinokibi Ransomware Retrieved. 2021/04/12  

  14. FireEye. (2014). POISON IVY: Assessing Damage and Extracting Intelligence. Retrieved September 19, 2024. 

  15. Golo Muhr, Joshua Chung. (2025, June 23). Hive0154 aka Mustang Panda shifts focus on Tibetan community to deploy Pubload backdoor. Retrieved August 4, 2025. 

  16. Golo Muhr, Joshua Chung. (2025, May 15). Hive0154 targeting US, Philippines, Pakistan and Taiwan in suspected espionage campaign. Retrieved August 4, 2025. 

  17. Jiho Kim & Sebin Lee, S2W. (2024, February 7). Kimsuky disguised as a Korean company signed with a valid certificate to distribute Troll Stealer (English ver.). Retrieved January 17, 2025. 

  18. CrowdStrike Intelligence Team. (2021, January 11). SUNSPOT: An Implant in the Build Process. Retrieved January 11, 2021. 

  19. Fortgale. (2023, September 18). StrelaStealer Malware Analysis. Retrieved December 31, 2024. 

  20. ESET. (2017, August). Gazing at Gazer: Turla’s new second stage backdoor. Retrieved September 14, 2017. 

  21. Vilkomir-Preisman, S. (2022, August 18). Beating Black Basta Ransomware. Retrieved March 8, 2023. 

  22. SEONGSU PARK. (2022, December 27). BlueNoroff introduces new methods bypassing MoTW. Retrieved February 6, 2024.