1. Home
  2. Techniques
  3. Enterprise
  4. Execution Guardrails
  5. Mutual Exclusion

Execution Guardrails: Mutual Exclusion

ID Name
T1480.001 Environmental Keying
T1480.002 Mutual Exclusion

Adversaries may constrain execution or actions based on the presence of a mutex associated with malware. A mutex is a locking mechanism used to synchronize access to a resource. Only one thread or process can acquire a mutex at a given time.[1]

While local mutexes only exist within a given process, allowing multiple threads to synchronize access to a resource, system mutexes can be used to synchronize the activities of multiple processes.[1] By creating a unique system mutex associated with a particular malware, adversaries can verify whether or not a system has already been compromised.[2]

In Linux environments, malware may instead attempt to acquire a lock on a mutex file. If the malware is able to acquire the lock, it continues to execute; if it fails, it exits to avoid creating a second instance of itself.[3][4]

Mutex names may be hard-coded or dynamically generated using a predictable algorithm.[5]

ID: T1480.002
Sub-technique of:  T1480
Tactic: Defense Evasion
Platforms: Linux, Windows, macOS
Contributors: Manikantan Srinivasan, NEC Corporation India; Nagahama Hiroki – NEC Corporation Japan; Pooja Natarajan, NEC Corporation India
Version: 1.0
Created: 19 September 2024
Last Modified: 15 April 2025
Version Permalink

Procedure Examples

ID Name Description
G0082 APT38

APT38 has created a mutex to avoid duplicate execution.[6]

S1070 Black Basta

Black Basta will check for the presence of a hard-coded mutex dsajdhas.0 before executing.[7]
S1161 BPFDoor

When executed, BPFDoor attempts to create and lock a runtime file, /var/run/initd.lock, and exits if it fails using the specified file, resulting in a makeshift mutex.[4]
S1236 CLAIMLOADER

CLAIMLOADER has created hardcoded mutex to ensure only a single instance of the malware is running.[8][9]
S1247 Embargo

Embargo has utilized a hardcoded mutex name of "LoadUpOnGunsBringYourFriends" using the CreateMutexW() function.[10] Embargo has also utilized a hardcoded mutex name of "IntoTheFloodAgainSameOldTrip."[11]
S0168 Gazer

Gazer creates a mutex using the hard-coded value {531511FA-190D-5D85-8A4A-279F2F592CC7} to ensure that only one instance of itself is running.[12]
S0632 GrimAgent

GrimAgent uses the last 64 bytes of the binary to compute a mutex name. If the generated name is invalid, it will default to the generic mymutex.[13]
S1202 LockBit 3.0

LockBit 3.0 can create and check for a mutex containing a hash of the MachineGUID value at execution to prevent running more than one instance.[14]
S0013 PlugX

PlugX has leveraged a mutex in its infection process.[15][16]
S0012 PoisonIvy

PoisonIvy creates a mutex using either a custom or default value.[17]
S1242 Qilin

Qilin can create a mutex to insure only one instance is running.[18]
S0496 REvil

REvil attempts to create a mutex using a hard-coded value to ensure that no other instances of itself are running on the host.[19]
S1183 StrelaStealer

StrelaStealer variants include the use of mutex values based on the victim system name to prevent reinfection.[20]
S0562 SUNSPOT

SUNSPOT creates a mutex using the hard-coded value {12d61a41-4b74-7610-a4d8-3028d2f56395} to ensure that only one instance of itself is running.[21]

S1239 TONESHELL

TONESHELL has created a mutex to avoid duplicate execution.[9]
S1196 Troll Stealer

Troll Stealer creates a mutex during installation to prevent duplicate execution.[22]

Mitigations

ID Mitigation Description
M1055 Do Not Mitigate

Execution Guardrails likely should not be mitigated with preventative controls because it may protect unintended targets from being compromised. If targeted, efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior if compromised.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0132 Detection of Mutex-Based Execution Guardrails Across Platforms AN0372

Adversary-created named mutex using system APIs (e.g., CreateMutexW) followed by conditional process termination or alternate code path indicating malware avoiding reinfection.
AN0373

File lock acquired via open() + flock() or lockf() on predictable path (e.g., /tmp/.lock123) followed by conditional early exit or divergent process behavior.
AN0374

User-mode application uses flock() or NSDistributedLock to gain exclusive access to a resource file (e.g., /tmp/guard.lock), conditional logic alters execution if already locked.

References

  1. Microsoft. (2022, March 11). Mutexes. Retrieved September 19, 2024.
  2. Lenny Zeltser. (2012, July 24). Looking at Mutex Objects for Malware Discovery & Indicators of Compromise. Retrieved September 19, 2024.
  3. Joakim Kennedy and Avigayil Mechtinger. (2021, March 10). New Linux Backdoor RedXOR Likely Operated by Chinese Nation-State Actor. Retrieved September 19, 2024.
  4. Shaul Vilkomir-Preisman and Eliran Nissan. (2023, May 10). BPFDoor Malware Evolves – Stealthy Sniffing Backdoor Ups Its Game. Retrieved September 19, 2024.
  5. Lenny Zeltser. (2015, March 9). How Malware Generates Mutex Names to Evade Detection. Retrieved September 19, 2024.
  6. SEONGSU PARK. (2022, December 27). BlueNoroff introduces new methods bypassing MoTW. Retrieved February 6, 2024.
  7. Vilkomir-Preisman, S. (2022, August 18). Beating Black Basta Ransomware. Retrieved March 8, 2023.
  8. Golo Muhr, Joshua Chung. (2025, June 23). Hive0154 aka Mustang Panda shifts focus on Tibetan community to deploy Pubload backdoor. Retrieved August 4, 2025.
  9. Golo Muhr, Joshua Chung. (2025, May 15). Hive0154 targeting US, Philippines, Pakistan and Taiwan in suspected espionage campaign. Retrieved August 4, 2025.
  10. Cyble. (2024, May 24). The Rust Revolution: New Embargo Ransomware Steps In. Retrieved October 19, 2025.
  11. Jan Holman, Tomas Zvara. (2024, October 23). Embargo ransomware: Rock’n’Rust. Retrieved October 19, 2025.
  1. ESET. (2017, August). Gazing at Gazer: Turla’s new second stage backdoor. Retrieved September 14, 2017.
  2. Priego, A. (2021, July). THE BROTHERS GRIM: THE REVERSING TALE OF GRIMAGENT MALWARE USED BY RYUK. Retrieved September 19, 2024.
  3. FBI et al. (2023, March 16). #StopRansomware: LockBit 3.0. Retrieved February 5, 2025.
  4. Alexandre Cote Cyr. (2022, March 23). Mustang Panda’s Hodur: Old tricks, new Korplug variant. Retrieved September 9, 2025.
  5. Secureworks Counter Threat Unit Research Team. (2022, September 8). BRONZE PRESIDENT Targets Government Officials. Retrieved September 9, 2025.
  6. FireEye. (2014). POISON IVY: Assessing Damage and Extracting Intelligence. Retrieved September 19, 2024.
  7. Halcyon RISE Team. (2024, October 24). New Qilin.B Ransomware Variant Boasts Enhanced Encryption and Defense Evasion. Retrieved September 26, 2025.
  8. SecureWorks 2019, September 24 REvil/Sodinokibi Ransomware Retrieved. 2021/04/12
  9. Fortgale. (2023, September 18). StrelaStealer Malware Analysis. Retrieved December 31, 2024.
  10. CrowdStrike Intelligence Team. (2021, January 11). SUNSPOT: An Implant in the Build Process. Retrieved January 11, 2021.
  11. Jiho Kim & Sebin Lee, S2W. (2024, February 7). Kimsuky disguised as a Korean company signed with a valid certificate to distribute Troll Stealer (English ver.). Retrieved January 17, 2025.