FakeBat Beginner Scenario: Friday Deadline
FakeBat Beginner Scenario: Friday Deadline
IM Overview
- Malmon: FakeBat
- Runtime: 45-75 minutes (Lunch and Learn)
- Players: 4 (pre-generated team included below)
M&M has four rules that never change. Everything else is your style.
The Core Loop: You describe symptoms. Players each take one action. You describe results and evolve the threat.
Success Mechanic: Simple actions succeed automatically. Complex actions: roll d20, 5+ easy, 10+ medium, 15+ hard. (See the d20 callout in Round 1.)
Collaboration: Players assisting each other: +1 per assisting player (max +3), or roll two dice and take the higher.
The Goal: Contain the threat using your roles before the Malmon evolves.
Everything else is yours to improvise. How you voice the NPCs. Whether you use the clue prompts verbatim or paraphrase them. How much you linger on a decision point. Whether you use modifiers at all in a first session. The scenario is fully scripted – you never have to improvise. But the best sessions always go somewhere the script did not expect. Follow it. That is M&M working.
These rules are defined in the IM Quick Start Guide. The rest of this scenario teaches you the full system one mechanic at a time.
All three resolution endings – contained, partial, and Stage 2 triggered – were written to be narratively interesting. The worst ending produces the richest debrief.
Before You Begin
Materials needed:
- This document (print or screen)
- Physical d20 dice – bring a handful (3-5 recommended); players can share one die but everyone rolling their own is more engaging. Digital dice apps exist as a last resort when no physical dice are available.
- Role cards for: Detective, Protector, Tracker, Communicator
- Player tent cards (optional – printable name placards for the table)
No other preparation required. Everything – clues, NPC lines, decision points, and resolution endings – is scripted below. Read through once before running. If you have 5 extra minutes, read the Setting the Scene section aloud to yourself.
Every path through this scenario leads somewhere useful. If players do not contain the threat, the story escalates naturally – the presentation flickers, the client sees something, and the debrief question writes itself. You do not need to improvise consequences; they are already scripted. Your only job is to keep the conversation moving. If the room goes quiet for more than 30 seconds, offer the next clue prompt.
Use one of these when a roll misses by 1-3 points. Pick whichever fits the moment.
| Situation | What to say |
|---|---|
| Investigation | “You find what you were looking for – but it raises a question you were not expecting.” |
| Technical | “It works – but slower, or with a side effect. Something had to give.” |
| Social | “They agree, but only halfway. What do you offer to get the rest?” |
| Under pressure | “You get the result – but the delay cost you. The situation moved while you worked.” |
Pre-Generated Team
Hand out role cards and ask: “Which of these sounds most like how you would approach a security incident?” Give players 30 seconds. In practice, most new players do not have strong preferences – that is fine. If nobody steps forward for a role, assign at your discretion. Any combination works; the roles are designed to complement each other.
When the script addresses a clue to a role – “Tracker, the download logs show…” – use the player’s actual name instead of the role label. Players are themselves in this scenario.
- Detective – “You always ask who had access and when. Your job is to trace what happened.”
- Situational anchor: You were brought in three weeks ago to audit the agency’s systems before the presentation. This is your first real incident.
- Play as: you ask one more question even when the team is ready to act.
- Protector – “Your instinct is to isolate first, ask questions second. You keep the threat from spreading.”
- Situational anchor: You set up this agency’s IT two years ago. If something got through, you want to know how.
- Play as: you state the action you want to take, then immediately ask who disagrees.
- Tracker – “You follow the data trail. You want logs and timestamps before anyone acts.”
- Situational anchor: You noticed the redirect behavior yesterday but were overruled when you suggested pulling the machines. This morning you were right.
- Play as: you quote a specific number from the evidence before making any recommendation.
- Communicator – “You keep stakeholders calm and the team aligned. You decide what gets communicated and when.”
- Situational anchor: Alex called you before IT because you have the client relationship. Your job is to decide what the client hears and when.
- Play as: you repeat back what you heard before responding, especially when the news is bad.
Setting the Scene
It is Wednesday morning at Pixel and Co., a 12-person creative agency that has spent the last three months producing the campaign of their careers. Friday is the client presentation – a pitch worth more than everything else in the studio’s portfolio combined. Agency owner Alex gathered the team at 9am, but instead of the usual pre-presentation energy, several designers report that their browsers are behaving strangely: search results redirect to unfamiliar sites, ads appear inside design tools, and new toolbar icons showed up overnight. The IT consultant was called in. The team is gathered around the kitchen table. What do you do?
Most rolls succeed. At DC 10 – the default here – players succeed 55% of the time (11-20 on a d20). Partial successes (7-9) advance the story too; only 1-6 creates real friction. The clue tables below give you scripted text for every outcome band.
Use DC 15 once per round at most. At that threshold success drops to 30%. Reserve it for genuinely hard moments – cutting-edge analysis or high-stakes social pressure.
When to skip the dice entirely: Simple, clear actions succeed automatically. The dice are for genuine uncertainty only.
Round 1: What Got In
Before you start, explain the three steps to your players:
- You describe what the team observes. A situation, a symptom, a piece of information.
- Each player takes one action. What does your character do? Anything realistic counts – ask a question, run a scan, check a log, call someone, isolate a machine.
- You describe what they find, then evolve the situation.
That is the whole game. Everything else builds on those three steps.
Some workstations show browser hijacking symptoms. The team has the morning. The client presentation is in 48 hours. Alex, the agency owner, is hovering near the door looking tense.
Reactive (player-driven): When a player declares an investigation action that matches a clue below, ask for a d20 roll and read the matching row. The roll determines how much they find and how cleanly.
Proactive (stuck group): If the room has genuinely worked a moment and is still stuck, offer the 10-19 row directly – no roll required. Do not narrate what it means. Describe the finding and let the team draw the conclusion.
A player’s wrong hypothesis – “maybe it is ransomware?” – is more valuable than your next clue. Ask what evidence would confirm or rule it out first.
Clue 1 – Download logs (proactive: ~3 min; reactive: Tracker pulls logs → DC 10)
| Roll | What you say |
|---|---|
| 20 ★ | “Tracker, three workstations – same domain, same 4-minute download window. This was pushed simultaneously, not three separate clicks.” |
| 10-19 | “Tracker, the download logs show three workstations pulled an executable from adobeupdate-secure.net yesterday afternoon. Domain registered six days ago.” |
| 7-9 ◐ | “Tracker, you find the domain – registered six days ago – but timestamps on two machines were overwritten. Three machines hit; you cannot confirm when.” |
| 1-6 | “Tracker, yesterday afternoon’s logs are gone. Either the malware cleared them or someone did. The trail starts this morning.” |
Clue 2 – Browser history (proactive: ~6 min; reactive: Detective checks sessions → DC 10)
| Roll | What you say |
|---|---|
| 20 ★ | “Detective, the sequence is exact: stock imagery search, Flash prompt, download – three minutes start to finish. Two others saw the same prompt and closed it. This was targeting a specific workflow.” |
| 10-19 | “Detective, browser history shows all three affected users were sourcing stock imagery when a ‘Flash Player update required’ prompt appeared. Two others saw the same prompt but closed it.” |
| 7-9 ◐ | “Detective, one machine has intact history – stock imagery, Flash prompt, download. The other two have gaps. The pattern is visible but not complete.” |
| 1-6 | “Detective, browser history on all three machines has been cleared. You know the Flash prompt appeared – designers mentioned it – but nothing is left to verify the sequence.” |
Clue 3 – Installed file analysis (proactive: ~9 min; reactive: Protector examines the executable → DC 15)
| Roll | What you say |
|---|---|
| 20 ★ | “Protector, unsigned file, launched from Temp, scheduled task every 15 minutes – and it is currently beaconing to 198.51.100.42. Last outbound connection: 8 minutes ago.” |
| 10-19 | “Protector, the installed file is not signed by any known vendor. It launched from the Temp folder and added a scheduled task that runs every 15 minutes.” |
| 7-9 ◐ | “Protector, you find the scheduled task – 15-minute cadence – but the executable has renamed itself to something that resembles a Windows system process. You know it is there; you cannot confirm what it is doing.” |
| 1-6 | “Protector, the process is masquerading as a system component. Standard signature checks come back clean. A behavior scan is needed, not a file scan.” |
When a player attempts something with uncertain outcome – scanning a system for malware, convincing a skeptical colleague to let them isolate a machine, pulling logs that might have been cleared – ask for a d20 roll.
Target numbers:
- Easy (5+): Standard procedures with the right tools – succeed most of the time
- Medium (10+): Complex analysis, uncertain coordination, or working under pressure
- Hard (15+): Cutting-edge techniques, high-stakes decisions, or significant obstacles
Degrees of success:
- Critical (natural 20): Exceptional result – extra information, bonus, or advantage in the next action
- Full success (meets or beats target): Complete achievement
- Partial success (within 3 below target): Useful result with a complication or cost – the story still advances
- Failure (4+ below target): Does not achieve the goal; may create a new complication
Automatic success: Skip the dice entirely when a player’s expertise, the right tools, and a clear plan all line up. The dice are for genuine uncertainty, not a control mechanism.
For most first-session actions, set the target at 10. Only push to 15 when the stakes genuinely warrant it.
NPC interruption:
“I need to know before lunch whether the presentation files are safe. The client is flying in from Copenhagen. If I have to reschedule, it is not just the account – it is the relationship. Tell me what we are dealing with.”
She taps her notebook twice before speaking – a habit the team has learned means she has already made a decision and is waiting for permission to act on it.
Round 1 Decision Point:
Alex needs an answer. The team must decide how to respond:
- Option A: Isolate the three affected machines immediately. Take the workstations off the network now. Stop the spread before investigating further.
- Outcome: The affected machines are contained. Two designers are without workstations for the rest of the day. The presentation files on those machines are inaccessible until cleared. But the threat cannot reach the file server – yet.
- Alex nods quickly: “Good. I will call the client now. What do I tell them?”
- Option B: Monitor but do not isolate yet. Keep investigating to understand the full scope before any disruption.
- Outcome: The team gathers better evidence. But during Round 2, FakeBat phones home and receives an instruction to probe the file server. The threat has a 20-minute window to reach the presentation files.
Alex looks at the Tracker: “How long do you need? I have to know before 11.”
- Option C: Tell Alex everything now. The Communicator informs Alex of the full situation before any technical decision is made.
- Outcome: Alex makes the call to isolate (same as Option A), but the team now has Alex as an active ally rather than an anxious presence. Alex calls the client to manage expectations – the relationship pressure drops. Containment proceeds as in Option A.
- Alex exhales slowly: “All right. Tell me everything. But make it fast.”
Whichever option they choose, move to Round 2. If they chose Option B, note that the file server is now at risk.
Round 2: How Far Did It Go?
The source is identified and the decision made. Now the team needs to understand what the malware has been doing since it installed – and whether it has already reached further than the affected workstations.
When two or more players combine their actions toward the same goal:
- +1 per assisting player (maximum +3), or
- Advantage: roll two d20 dice and take the higher result
Either approach works – use advantage when it is cleaner to narrate, use the bonus when stacking precision matters.
Automatic success: When the whole team coordinates clearly with good logic and role division, skip the dice entirely. Perfect collaboration earns it.
Example: the Tracker pulls the network logs while the Detective cross-references them against the installation timeline. That is a collaboration – +2 or advantage.
Apply these when they make a moment more real or more interesting – not mechanically:
| Situation | Modifier |
|---|---|
| Action aligns with player’s role | +2 |
| Action misaligns with role | -1 |
| Super effective response type | +2 |
| Not effective response type | -2 |
| Strong security posture supporting action | +2 |
| Significant obstacle | -2 |
| Threat actively evolving | -1 to -3 |
Stacking example: A Tracker (+2 role) pulling logs while the threat is actively evolving (-1 time pressure) rolls at +1.
For a first session: You do not need to apply modifiers at all. Use them when a player does something that should obviously be easier or harder than straight 50/50.
Clue 4 – C2 beacon (reactive: Tracker or Protector analyses outbound traffic → DC 10)
| Roll | What you say |
|---|---|
| 20 ★ | “The scheduled task calls home every 15 minutes – and there is an inbound packet queued at the C2 server. An instruction is waiting. It has not arrived yet.” |
| 10-19 | “The scheduled task calls home to a C2 server every 15 minutes. Most recent outbound connection: 12 minutes ago. It is sending browser credential data.” |
| 7-9 ◐ | “You confirm regular outbound connections every 15 minutes – something is phoning home. The connection is encrypted; you can see the cadence but not the content.” |
| 1-6 | “The beacon intervals have shifted to irregular timing. The malware detected your network monitoring and changed its pattern.” |
Clue 5 – File server status (no roll – factual reveal based on Round 1 outcome)
If players isolated in Round 1 (Option A or C): “The shared file server shows no signs of compromise. No unauthorized access events detected.”
If players monitored in Round 1 (Option B): “The server shows one unauthorized access event – the presentations folder was opened by the compromised machine 8 minutes ago. Files appear intact but cannot be confirmed clean without inspection.”
Malmon card reveal trigger:
When players describe “fake software update,” “browser hijacker,” “downloader,” or anything close, show them the FakeBat card and say:
“Your analysis confirms this is FakeBat – a downloader distributed through fake browser and plugin updates. It is not ransomware; it is a credential harvester and a delivery vehicle for follow-on payloads. If you do not remove it cleanly, it will reinstall itself from that scheduled task.”
If players have not named it by end of Round 2, give them this:
“Your logs confirm this is FakeBat – malware that masquerades as a legitimate software update, installs silently, and starts harvesting browser credentials while beaconing for further instructions.”
Round 2 Decision Point:
The team now knows the scope. They must decide what to tell Alex and the client:
- Option A: Full disclosure to Alex now, no client contact yet. Tell Alex exactly what happened – fake update, credential theft, contained to three workstations (or server if Option B was chosen). Let Alex decide on client communication.
- Outcome: Alex is shaken but grateful for the honest picture. The agency can prepare a professional client communication. Friday presentation proceeds with a clean story if containment holds.
- Alex: “Then I tell them we had a security incident, we caught it, and we are handling it professionally. Right?”
- Option B: Remediate first, disclose after. Complete the cleanup before telling Alex anything definitive.
- Outcome: Technical remediation succeeds. Alex gets cleaner news. But during debrief, Alex will ask why it took so long to know – a realistic tension around disclosure timing.
- Alex: “I appreciate the restraint. Just tell me the moment you know.”
Round 2 ends. Move to Round 3.
Round 3: Friday
It is Thursday afternoon. The file server is clean (or has been cleaned). The presentation files are confirmed intact. But the credentials harvested by FakeBat need to be dealt with, and the team must decide how to prevent reinfection.
In M&M, some responses are more effective against certain threat types than others.
FakeBat is a Downloader / Trojan type.
- Super effective: Network isolation of infected hosts + full removal of persistence artifacts (scheduled tasks, registry keys) + credential resets for all affected accounts. This combination removes the malware, cuts the C2 connection, and invalidates any harvested credentials.
- Not very effective: Antivirus scan alone. FakeBat uses legitimate-looking scheduled tasks for persistence. An antivirus that catches the initial binary will miss the reinstaller unless the task is also removed.
- Normal effectiveness: Scheduled task removal + malware scan + credential reset. Removes the installed malware and its main persistence mechanism, but leaves more room for error than a full rebuild. (This is Option B below.)
Final Response Decision:
The team must choose their remediation approach before Friday’s presentation:
- Option A: Full endpoint rebuild + credential reset. Wipe and rebuild the three affected workstations from clean images. Reset all browser-stored credentials on affected accounts. Block the C2 domain at the firewall.
- Type effectiveness: Super effective
- Outcome: Presentation day is clean. Designers work from backup machines. The threat is gone. Cost: half a day of designer downtime.
- Option B: Scheduled task removal + malware scan + credential reset. Remove the persistence mechanism manually, run a full scan, and reset credentials. Keep the machines running.
- Type effectiveness: Normal effectiveness
- Ask the Tracker (or Protector) to roll d20 – this is the cleanup quality check (DC 10):
| Roll | Outcome |
|---|---|
| 10+ | Clean. Presentation day is clear. Read the Contained ending. |
| 7-9 ◐ | Probably clean – but one machine shows no log entry confirming task removal. Worth checking Monday. Read the Partial containment ending. |
| 1-6 | A secondary persistence artifact was missed. FakeBat reinstalls overnight. Monday morning, the Tracker finds it. Read the Partial containment ending. |
- Option C: Credential reset only, defer full remediation until after Friday. Reset all passwords now. Deal with the infected machines after the presentation.
- Type effectiveness: Not very effective
- Outcome: Credentials are safe. But the malware is still running and continues to beacon. On Friday during the presentation, one browser redirect appears on a screen visible to the client. The client notices.
Resolution:
Friday arrives. The presentation room is clean. Alex walks the client through three months of creative work on machines the team knows are safe. The client does not know there was an incident – only that the team delivered on time and professionally. After the meeting, Alex pulls the team aside: “I want a short-term retainer for whoever fixed this. We cannot have that happen again.” The agency walks away with the account and a new security conversation started.
Friday’s presentation goes well. Monday morning, the Tracker notices the scheduled task is back on one machine. FakeBat reinstalled from a secondary persistence artifact that was missed. The credential harvest has resumed – but only for three days. Credential resets will need to happen again. The good news: the client account is won. The bad news: the cleanup job is not finished yet.
During the presentation, a browser redirect flickers across the screen for three seconds before a designer closes it. The client sees it. The meeting goes quiet. After a pause, the client says: “We will need to talk about security before we sign anything.” The account is not lost – but it is not won either. The team has a second meeting scheduled, and a real story to tell about what they have learned and what they have changed.
Handouts
- Handout A: Fake Browser Update Prompt – Release at the start of Round 1
- Handout B: Network Traffic Log – Select version and release at the start of Round 2
Debrief Guide
Standard closing questions (ask all 4):
- “What was the first moment you suspected something was wrong?”
- “Which decision felt hardest, and why?”
- “What would you do differently if this happened at your actual organization?”
- “What is one thing you will remember from today’s session?”
Scenario-specific question:
“The fake update prompt looked legitimate to experienced designers under deadline pressure. What would make you stop and verify a software update prompt before clicking, even when you are in a hurry?”
What’s Next
Your group has completed their first M&M session. Here are natural next steps:
More FakeBat scenarios:
- FakeBat: Small Business – Professional services firm, client deliverables, governance and regulatory layer added
- FakeBat: Gaming Cafe – Public-access machines, faster scope, different containment trade-offs
- FakeBat: Nonprofit Organization – Volunteer org, limited IT resources, budget pressure
Try GaboonGrabber:
- GaboonGrabber Beginner Scenario: The Fundraiser Email – Phishing via fake password reset, same beginner format, different threat type
Upgrade your prep:
- IM Quick Start Guide – Full reference for session formats, scenario selection, and facilitation techniques
- 5-Minute Prep Template – When you are ready to run without a script