Description
Adversaries may constrain execution or actions based on the presence of a mutex associated with malware. A mutex is a locking mechanism used to synchronize access to a resource. Only one thread or process can acquire a mutex at a given time.(Citation: Microsoft Mutexes)
While local mutexes only exist within a given process, allowing multiple threads to synchronize access to a resource, system mutexes can be used to synchronize the activities of multiple processes.(Citation: Microsoft Mutexes) By creating a unique system mutex associated with a particular malware, adversaries can verify whether or not a system has already been compromised.(Citation: Sans Mutexes 2012)
In Linux environments, malware may instead attempt to acquire a lock on a mutex file. If the malware is able to acquire the lock, it continues to execute; if it fails, it exits to avoid creating a second instance of itself.(Citation: Intezer RedXOR 2021)(Citation: Deep Instinct BPFDoor 2023)
Mutex names may be hard-coded or dynamically generated using a predictable algorithm.(Citation: ICS Mutexes 2015)
Platforms
Mitigations (1)
Do Not MitigateM1055
Execution Guardrails likely should not be mitigated with preventative controls because it may protect unintended targets from being compromised. If targeted, efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior if compromised.
Threat Groups (2)
| ID | Group | Context |
|---|---|---|
| G0094 | Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has utilized a mutex to detect whether its malware is actively running on the victim host.(Citation: ... |
| G0082 | APT38 | [APT38](https://attack.mitre.org/groups/G0082) has created a mutex to avoid duplicate execution.(Citation: 1 - appv) |
Associated Software (18)
| ID | Name | Type | Context |
|---|---|---|---|
| S1247 | Embargo | Malware | [Embargo](https://attack.mitre.org/software/S1247) has utilized a hardcoded mutex name of “LoadUpOnGunsBringYourFriends” using the `CreateMutexW()` fu... |
| S1242 | Qilin | Malware | [Qilin](https://attack.mitre.org/software/S1242) can create a mutex to ensure only one instance is running.(Citation: Halcyon Qilin.B OCT 2024) |
| S9019 | PureCrypter | Malware | [PureCrypter](https://attack.mitre.org/software/S9019) code contains a global mutex.(Citation: Zscaler PureCrypter JUN 2022) |
| S1161 | BPFDoor | Malware | When executed, [BPFDoor](https://attack.mitre.org/software/S1161) attempts to create and lock a runtime file, `/var/run/initd.lock`, and exits if it f... |
| S0013 | PlugX | Malware | [PlugX](https://attack.mitre.org/software/S0013) has leveraged a mutex in its infection process.(Citation: Eset PlugX Korplug Mustang Panda March 2022... |
| S1202 | LockBit 3.0 | Malware | [LockBit 3.0](https://attack.mitre.org/software/S1202) can create and check for a mutex containing a hash of the `MachineGUID` value at execution to p... |
| S9023 | HiddenFace | Malware | [HiddenFace](https://attack.mitre.org/software/S9023) can create a mutex to ensure only one instance is running at a time.(Citation: ESET HiddenFace 2... |
| S0632 | GrimAgent | Malware | [GrimAgent](https://attack.mitre.org/software/S0632) uses the last 64 bytes of the binary to compute a mutex name. If the generated name is invalid, i... |
| S0496 | REvil | Malware | [REvil](https://attack.mitre.org/software/S0496) attempts to create a mutex using a hard-coded value to ensure that no other instances of itself are r... |
| S0012 | PoisonIvy | Malware | [PoisonIvy](https://attack.mitre.org/software/S0012) creates a mutex using either a custom or default value.(Citation: FireEye Poison Ivy) |
| S1236 | CLAIMLOADER | Malware | [CLAIMLOADER](https://attack.mitre.org/software/S1236) has created hardcoded mutex to ensure only a single instance of the malware is running.(Citatio... |
| S1196 | Troll Stealer | Malware | [Troll Stealer](https://attack.mitre.org/software/S1196) creates a mutex during installation to prevent duplicate execution.(Citation: S2W Troll Steal... |
| S0562 | SUNSPOT | Malware | [SUNSPOT](https://attack.mitre.org/software/S0562) creates a mutex using the hard-coded value ` {12d61a41-4b74-7610-a4d8-3028d2f56395}` to ensure that... |
| S1239 | TONESHELL | Malware | [TONESHELL](https://attack.mitre.org/software/S1239) has created a mutex to avoid duplicate execution.(Citation: 2025_IBM_PUBLOAD_TONESHELL_HIUPAN_CLA... |
| S1183 | StrelaStealer | Malware | [StrelaStealer](https://attack.mitre.org/software/S1183) variants include the use of mutex values based on the victim system name to prevent reinfecti... |
| S0168 | Gazer | Malware | [Gazer](https://attack.mitre.org/software/S0168) creates a mutex using the hard-coded value `{531511FA-190D-5D85-8A4A-279F2F592CC7}` to ensure that on... |
| S1070 | Black Basta | Malware | [Black Basta](https://attack.mitre.org/software/S1070) will check for the presence of a hard-coded mutex `dsajdhas.0` before executing.(Citation: Deep... |
| S9024 | SPAWNCHIMERA | Malware | [SPAWNCHIMERA](https://attack.mitre.org/software/S9024) has fixed a buffer overflow vulnerability (CVE-2025-0282) by hooking the strncpy function and ... |
References
- Joakim Kennedy and Avigayil Mechtinger. (2021, March 10). New Linux Backdoor RedXOR Likely Operated by Chinese Nation-State Actor. Retrieved September 19, 2024.
- Lenny Zeltser. (2012, July 24). Looking at Mutex Objects for Malware Discovery & Indicators of Compromise. Retrieved September 19, 2024.
- Lenny Zeltser. (2015, March 9). How Malware Generates Mutex Names to Evade Detection. Retrieved September 19, 2024.
- Microsoft. (2022, March 11). Mutexes. Retrieved September 19, 2024.
- Shaul Vilkomir-Preisman and Eliran Nissan. (2023, May 10). BPFDoor Malware Evolves – Stealthy Sniffing Backdoor Ups Its Game. Retrieved September 19, 2024.
Frequently Asked Questions
What is T1480.002 (Mutual Exclusion)?
T1480.002 is a MITRE ATT&CK technique named 'Mutual Exclusion'. It belongs to the Stealth tactic(s). Adversaries may constrain execution or actions based on the presence of a mutex associated with malware. A mutex is a locking mechanism used to synchronize access to a resource. Only one thread or pro...
How can T1480.002 be detected?
Detection of T1480.002 (Mutual Exclusion) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1480.002?
There are 1 documented mitigations for T1480.002. Key mitigations include: Do Not Mitigate.
Which threat groups use T1480.002?
Known threat groups using T1480.002 include: Kimsuky, APT38.