Malmon Reference Guide

This appendix contains detailed profiles for all malmons in the Malware & Monsters system. Each profile includes behavioral patterns, technical capabilities, containment strategies, and facilitation notes.

Contemporary Malmons

GaboonGrabber: The First Malmon

Malmon Profile

Classification: Trojan/Stealth ⭐⭐
Discovery Credit: Lena Yu, Cybersecurity Researcher
First Documented: 2023
Threat Level: Intermediate (Perfect for new teams)

Malmon Card Reference

GaboonGrabber

Trojan/Stealth

⭐⭐

GaboonGrabber was discovered and named by Lena aka LambdaMamba, and is the first Malmon ever created. Written in .NET, it extracts embedded resources to launch multiple fileless stages. It camouflages itself as legitimate software—even mimicking app code—to avoid detection. Its final stage can deploy threats like Snake Keylogger, AgentTesla, Redline, Lokibot, and more.

🔥

Perfect Mimicry

Appears as legitimate software updates with +3 bonus to social engineering attempts

⚡

Fileless Deployment

Uses process injection and memory-only persistence with +2 bonus against traditional antivirus

🔮

Multi-Payload Delivery

Can deploy Snake Keylogger, AgentTesla, or Redline after 24+ hours of successful infection

⬆️

Advanced Persistent Threat

Gains network lateral movement capabilities and develops custom tools for long-term persistence

💎

Behavioral Analysis

Vulnerable to runtime monitoring and behavioral detection with -3 penalty when defenders use advanced behavioral tools

🔍6

🔒8

📡6

💣7

🥷9

Discovered By:Lena Yu

Habitat:Email attachments, software downloads

Property Icons:

🔍Detection

🔒Persistence

📡Spread

💣Payload

🥷Evasion

Technical Characteristics

MITRE ATT&CK Mapping

• Initial Access: T1566.001 (Spearphishing Attachment)
• Execution: T1204.002 (Malicious File)
• Persistence: T1547.001 (Registry Run Keys/Startup Folder)
• Defense Evasion: T1027 (Obfuscated Files or Information), T1055 (Process Injection)
• Discovery: T1083 (File and Directory Discovery), T1057 (Process Discovery)
• Collection: T1005 (Data from Local System)
• Exfiltration: T1041 (Exfiltration Over C2 Channel)

Detailed ATT&CK Analysis

🎯 MITRE ATT&CK Technique Analysis

Technique	Tactic	Description	Mitigation	Detection
T1027 Obfuscated Files or Information	Defense Evasion	Uses obfuscated .NET code and encrypted payloads to evade detection	Code analysis tools, behavioral detection, sandboxing	Static analysis, entropy analysis, deobfuscation tools
T1005 Data from Local System	Collection	Collects sensitive data from infected systems for exfiltration	Data loss prevention, access controls, file monitoring	File access monitoring, data collection patterns, DLP alerts
T1204.002 Malicious File	Execution	Users execute the malicious payload believing it to be a legitimate software update	Application control, user education, execution policy	Process monitoring, execution logging, behavioral analysis
T1041 Exfiltration Over C2 Channel	Exfiltration	Sends collected data to attacker-controlled servers via command and control channels	Network monitoring, egress filtering, traffic analysis	Network traffic analysis, C2 communication patterns, data flow monitoring
T1057 Process Discovery	Discovery	Identifies running processes to understand system state and security tools	Process monitoring, system hardening, security tool protection	Process enumeration monitoring, security tool alerting
T1566.001 Spearphishing Attachment	Initial Access	GaboonGrabber spreads via convincing phishing emails with malicious attachments	Email security controls, user training, attachment scanning	Email analysis, attachment behavior monitoring, user reporting
T1055 Process Injection	Defense Evasion	Injects malicious code into legitimate processes to hide execution	Process monitoring, memory protection, behavioral analysis	Process behavior monitoring, memory analysis, API monitoring
T1083 File and Directory Discovery	Discovery	Enumerates files and directories to identify valuable data for collection	File system monitoring, access controls, principle of least privilege	File access monitoring, unusual enumeration patterns, audit logs
T1547.001 Registry Run Keys/Startup Folder	Persistence	Establishes persistence through registry modifications and startup mechanisms	Registry monitoring, startup item control, system hardening	Registry monitoring, startup enumeration, persistence scanning

IM Facilitation Notes:

• Use these techniques to guide player investigation questions
• Help players connect evidence to specific ATT&CK techniques
• Highlight type effectiveness relationships in responses
• Encourage discussion of real-world mitigation strategies

Core Capabilities

Perfect Mimicry:

• Appears identical to legitimate software updates
• Uses convincing file names and digital certificate spoofing
• Mimics trusted software installer behavior and appearance
• +3 bonus to social engineering effectiveness

Fileless Deployment:

• Operates primarily in memory to avoid disk-based detection
• Uses process injection to hide within legitimate processes
• Minimal file system artifacts during active operation
• +2 bonus against traditional antivirus detection

Multi-Payload Deployment (Hidden Ability):

• Can deploy Snake Keylogger, AgentTesla, or Redline after establishing persistence
• Triggers automatically after 24+ hours of successful infection
• Each payload has different objectives and detection signatures
• Creates complex, multi-faceted incident response challenge

Type Effectiveness Against GaboonGrabber

Understanding which security controls work best against Trojan-type threats like GaboonGrabber:

Trojan

Weak to: Detection

Resists: Training

Worm

Weak to: Isolation

Resists: Backup

Ransomware

Weak to: Backup

Resists: Encryption

Rootkit

Weak to: Forensics

Resists: Detection

APT

Weak to: Intelligence

Phishing

Weak to: Training

Botnet

Weak to: Coordination

Infostealer

Weak to: Encryption

Key Strategic Insights for IMs:

• Most Effective: Behavioral Analysis, User Education, Runtime Monitoring
• Moderately Effective: System Restoration, Network Isolation
• Least Effective: Signature Detection (especially against evolved variants), Static Analysis

Use this to guide teams toward type-appropriate response strategies during sessions.

Vulnerabilities

Behavioral Analysis Weakness:

• Runtime monitoring can detect abnormal process behavior
• Memory analysis reveals injected code patterns
• Network monitoring shows unusual communication patterns
• -3 penalty when defenders use advanced behavioral tools

User Education Susceptibility:

• Social engineering awareness training reduces success rate
• Email security training helps users identify suspicious attachments
• Security awareness programs improve organization-wide resistance

Facilitation Guide

Pre-Session Preparation

Choose GaboonGrabber When:

• New teams learning basic incident response coordination
• Mixed experience groups with both novice and experienced members
• Social engineering education is a learning objective
• Type effectiveness concepts need to be demonstrated clearly
• Process injection and behavioral analysis concepts should be taught

Avoid GaboonGrabber When:

• Advanced teams seeking sophisticated technical challenges
• Speed-focused sessions where complexity might slow learning
• Network-focused training where endpoint threats aren’t the priority

Session Structure Guidance

Discovery Phase (Round 1) Facilitation

Initial Symptoms to Present:

• “Multiple users report computers running slowly since yesterday afternoon”
• “Help desk received calls about unexpected pop-ups appearing”
• “Users mention receiving ‘critical security update’ emails yesterday”
• “Some applications are taking longer to start than usual”

IM Question Progression:

1. “What would be your first concern hearing these symptoms?”
2. “How might you investigate what happened yesterday afternoon?”
3. “What would make users click on a security update email?”
4. “What patterns connect slow computers with security updates?”

Expected Player Discovery Path:

• Detective: Investigates logs, finds suspicious executables in temp directories
• Protector: Checks running processes, discovers process injection indicators
• Tracker: Monitors network traffic, identifies unusual outbound connections
• Communicator: Interviews users, learns about convincing phishing emails
• Crisis Manager: Coordinates investigation, manages timeline and priorities
• Threat Hunter: Searches for additional compromise indicators

Malmon Identification Moment: Guide the team to recognize: “This appears to be a sophisticated Trojan that’s very good at pretending to be legitimate software.”

Investigation Phase (Round 2) Facilitation

Impact Assessment Questions:

• “If this malware has been active for 24+ hours, what might it have accomplished?”
• “What data would be valuable to an attacker in your environment?”
• “How would you determine the scope of compromise?”

Attack Vector Analysis:

• “What made the phishing emails so convincing?”
• “How did the malware gain persistence on infected systems?”
• “What vulnerabilities did this attack exploit?”

Evolution Threat Introduction:

• “Your monitoring tools are showing new suspicious processes starting up…”
• “It appears the original malware is trying to download additional tools…”
• “What would worry you most about this threat evolving?”

Response Phase (Round 3) Facilitation

Strategy Development:

• “Given this is a Trojan type threat, what approaches would be most effective?”
• “How do you balance speed with thoroughness in your response?”
• “What coordination is needed between your different roles?”

Implementation Challenges:

• Present dice rolls for containment attempts
• Reward type-effective approaches (behavioral analysis, user education)
• Challenge ineffective approaches (signature-only detection)
• Emphasize team coordination benefits

Advanced Facilitation Techniques

Adapting for Different Experience Levels

For Novice Groups:

• Provide more explicit guidance about investigation techniques
• Explain technical concepts as they arise naturally in the scenario
• Focus on collaboration and communication over technical complexity
• Use automatic successes for good teamwork and logical approaches

For Mixed Groups:

• Let experienced players mentor newcomers through complex concepts
• Encourage peer teaching moments about malware analysis and incident response
• Use experienced players to validate and expand on technical discussions
• Balance individual expertise with team collaboration

For Advanced Groups:

• Add complexity with multiple payloads and attribution challenges
• Introduce time pressure and resource constraints
• Include advanced evasion techniques and threat actor behaviors
• Focus on innovation and technique development

Troubleshooting Common Issues

If Players Focus Too Much on Technical Details:

• “That’s great analysis - how does this inform your team’s next steps?”
• “How would you explain this finding to the rest of the incident response team?”
• “What decisions does this evidence help you make?”

If One Role Dominates Investigation:

• “Detective, that’s valuable insight - what questions would other roles ask about this?”
• “How might the Protector’s perspective on this evidence differ from the Detective’s?”
• “What would worry the Communicator about these findings?”

If Team Gets Stuck:

• “What would you try if you had unlimited resources and time?”
• “If you had to guess, what kind of threat do these symptoms suggest?”
• “What’s your gut instinct about what happened here?”

Real-World Learning Connections

Key Cybersecurity Concepts Taught

Social Engineering Awareness:

• How sophisticated phishing emails convince users to click
• The importance of user education and security awareness training
• Why technical controls alone aren’t sufficient for security

Process Injection and Evasion:

• How malware hides within legitimate processes
• Why behavioral analysis is critical for modern threat detection
• The limitations of signature-based detection methods

Multi-Stage Attacks:

• How initial compromise leads to additional payload deployment
• The importance of rapid response to prevent attack progression
• Why continuous monitoring is essential during incident response

Team Coordination:

• How different cybersecurity roles contribute unique perspectives
• The value of cross-functional collaboration in incident response
• Why communication and coordination improve response effectiveness

Professional Development Value

Skills Developed:

• Basic malware analysis and behavioral assessment
• Incident response coordination and communication
• User interview techniques and social engineering investigation
• Type-based strategic thinking for cybersecurity defense

Career Applications:

• SOC analyst pattern recognition and alert investigation
• Incident response team coordination and role specialization
• Security awareness training development and user education
• Cybersecurity strategy development and tool selection

Assessment and Learning Objectives

Success Indicators

Team Successfully:

• Identifies GaboonGrabber as a Trojan-type threat using evidence-based analysis
• Understands social engineering vector and user education implications
• Recognizes process injection and behavioral analysis concepts
• Coordinates effective response using type-appropriate containment strategies
• Documents lessons learned for future reference and community sharing

Individual Growth Indicators:

• Detective: Demonstrates evidence analysis and pattern recognition skills
• Protector: Shows understanding of containment strategies and system hardening
• Tracker: Exhibits network monitoring and communication analysis capabilities
• Communicator: Displays stakeholder management and user education insights
• Crisis Manager: Demonstrates coordination and strategic planning abilities
• Threat Hunter: Shows proactive investigation and intelligence development skills

Learning Assessment Questions

Post-Session Reflection:

• “What surprised you most about how this attack succeeded?”
• “Which detection or response techniques would be most effective against similar threats?”
• “How would you explain this incident to users to prevent future infections?”
• “What would you do differently if your organization faced this threat?”

MalDex Documentation Prompts:

• “What made GaboonGrabber’s social engineering so effective?”
• “Which behavioral indicators were most useful for detection?”
• “How did team coordination improve response effectiveness?”
• “What insights would help other teams facing similar Trojans?”

Scaling and Variation

Session Modifications

For Shorter Sessions (60 minutes):

• Focus on discovery and initial response without evolution mechanics
• Streamline investigation phase to key findings and team coordination
• Emphasize rapid decision-making and basic containment strategies

For Longer Sessions (120 minutes):

• Add detailed forensic analysis and attribution investigation
• Include comprehensive user education planning and policy development
• Incorporate advanced evasion techniques and sophisticated threat actor behaviors

For Industry-Specific Adaptations:

• Healthcare: Focus on patient data protection and HIPAA compliance considerations
• Financial: Emphasize fraud prevention and regulatory reporting requirements
• Education: Address BYOD challenges and diverse user population management

Community Contributions

Encourage Documentation of:

• Novel investigation techniques discovered during sessions
• Effective team coordination strategies and communication approaches
• Creative response strategies and innovative containment techniques
• User education insights and social engineering countermeasures

Support Follow-Up Activities:

• Advanced sessions featuring GaboonGrabber evolution and sophisticated payloads
• Cross-organizational sharing of response techniques and lessons learned
• Integration of session insights into organizational security awareness training
• Development of new scenarios based on community feedback and real-world threat evolution

GaboonGrabber serves as an ideal introduction to Malware & Monsters, providing rich learning opportunities while remaining accessible to teams with diverse cybersecurity backgrounds. Its focus on social engineering, behavioral analysis, and team coordination makes it an excellent foundation for more advanced scenarios.

WannaCry: The Global Pandemic

Malmon Profile

Classification: Worm/Ransomware ⭐⭐⭐
Discovery Credit: Multiple security researchers, May 2017
First Documented: WannaCry outbreak, May 12, 2017
Threat Level: Advanced (Global infrastructure impact)

Malmon Card Reference

WannaCry

Worm/Ransomware

⭐⭐⭐

WannaCry is a devastating ransomware worm that caused global chaos in May 2017. Exploiting the EternalBlue vulnerability, it spread rapidly across networks, encrypting files and demanding Bitcoin payments. It affected hospitals, businesses, and governments—highlighting the dangers of unpatched systems and state-developed exploits gone rogue.

🔥

Rapid Propagation

Self-replicating worm spreading via SMB vulnerabilities with automatic network traversal

⚡

EternalBlue Exploit

Uses NSA-developed exploit for Windows SMB protocol with devastating effectiveness

🔮

Kill Switch Vulnerability

Can be instantly neutralized if specific domain registration weakness is discovered

⬆️

Global Pandemic Worm

Achieves worldwide propagation with critical infrastructure impact

💎

Network Segmentation

Contained by proper network isolation and SMB protocol restrictions

🔍4

🔒7

📡10

💣9

🥷6

Discovered By:Security Community

Habitat:Unpatched Windows networks, SMB-enabled systems

Property Icons:

🔍Detection

🔒Persistence

📡Spread

💣Payload

🥷Evasion

Technical Characteristics

MITRE ATT&CK Mapping

• Initial Access: T1566.001 (Spearphishing Attachment)
• Lateral Movement: T1210 (Exploitation of Remote Services)
  
• Impact: T1486 (Data Encrypted for Impact)

Detailed ATT&CK Analysis

🎯 MITRE ATT&CK Technique Analysis

Technique	Tactic	Description	Mitigation	Detection
T1566.001 Spearphishing Attachment	Initial Access	Initial infection vector through malicious email attachments	Email security, user training, attachment scanning	Email analysis, attachment behavior monitoring
T1210 Exploitation of Remote Services	Lateral Movement	Uses EternalBlue exploit to spread via SMB vulnerabilities	Patch management, network segmentation, SMB hardening	Network monitoring, exploit detection, vulnerability scanning
T1486 Data Encrypted for Impact	Impact	Encrypts files and demands ransom payment for decryption	Backup systems, file monitoring, user training	File modification monitoring, encryption behavior, ransom notes

IM Facilitation Notes:

• Use these techniques to guide player investigation questions
• Help players connect evidence to specific ATT&CK techniques
• Highlight type effectiveness relationships in responses
• Encourage discussion of real-world mitigation strategies

Core Capabilities

EternalBlue Exploitation:

• Exploits MS17-010 SMB vulnerability for rapid network spread
• No user interaction required for propagation
• Targets Windows systems with unpatched SMB services
• +3 bonus to network propagation in vulnerable environments

Ransomware Payload:

• Encrypts files with strong cryptographic algorithms
• Demands Bitcoin payment for decryption keys
• Creates distinctive ransom note and desktop wallpaper
• +2 bonus to business disruption and panic generation

Kill Switch Vulnerability (Hidden Ability):

• Contains hardcoded domain check that acts as emergency brake
• If specific domain resolves, malware stops spreading
• Discovered by security researcher Marcus Hutchins
• Can be instantly neutralized if weakness is discovered and exploited

Type Effectiveness Against WannaCry

Understanding which security controls work best against hybrid Worm/Ransomware threats like WannaCry:

Trojan

Weak to: Detection

Resists: Training

Worm

Weak to: Isolation

Resists: Backup

Ransomware

Weak to: Backup

Resists: Encryption

Rootkit

Weak to: Forensics

Resists: Detection

APT

Weak to: Intelligence

Phishing

Weak to: Training

Botnet

Weak to: Coordination

Infostealer

Weak to: Encryption

Key Strategic Insights for IMs:

• Most Effective: Network Isolation (stops spread), Backup Systems (counters encryption), Patch Management (prevents initial exploitation)
• Moderately Effective: Behavioral Analysis (detects both worm and ransomware activities), System Restoration
• Least Effective: Signature Detection (especially for zero-day exploits), User Education (no user interaction required)

Hybrid Type Considerations:
Teams must address both rapid network spread AND file encryption - guide them to use multi-layered approaches.

Vulnerabilities

Network Segmentation Weakness:

• Spread limited by network boundaries and firewall rules
• Cannot cross properly segmented network zones
• -3 penalty when networks have effective micro-segmentation

Patch Management Defense:

• MS17-010 patch completely prevents exploitation
• Vulnerable only to systems missing critical security updates
• Organizations with current patching are immune to initial infection

Facilitation Guide

Pre-Session Preparation

Choose WannaCry When:

• Intermediate to advanced teams ready for complex, multi-vector threats
• Network security education is a primary learning objective
• Business continuity and crisis management concepts should be demonstrated
• Global incident coordination scenarios are desired
• Patch management and vulnerability response need emphasis

Avoid WannaCry When:

• New teams who haven’t mastered basic incident response coordination
• Individual endpoint focus sessions where network propagation isn’t relevant
• Limited time sessions where complexity might prevent completion

Session Structure Guidance

Discovery Phase (Round 1) Facilitation

Initial Symptoms to Present:

• “Multiple departments reporting computers locked with ransom messages”
• “IT help desk overwhelmed with calls about encrypted files”
• “Network performance severely degraded across all locations”
• “Security systems detecting massive SMB traffic spikes”

IM Question Progression:

1. “What pattern connects locked computers across multiple departments?”
2. “How might malware spread so quickly through the network?”
3. “What would cause both file encryption AND network performance issues?”
4. “What makes this different from typical malware infections?”

Expected Player Discovery Path:

• Detective: Analyzes ransom notes, discovers file encryption patterns
• Protector: Identifies SMB exploitation attempts and system vulnerabilities
• Tracker: Maps rapid network propagation and lateral movement
• Communicator: Assesses massive business impact and stakeholder panic
• Crisis Manager: Coordinates response to organization-wide emergency
• Threat Hunter: Discovers connection to global campaign and threat intelligence

Evolution Trigger - Global Scale: Introduce: “News reports showing this same attack hitting hospitals, governments, and companies worldwide…”

Investigation Phase (Round 2) Facilitation

Impact Assessment Questions:

• “How do you assess damage when the entire network is potentially compromised?”
• “What critical systems and data are at risk from continued spreading?”
• “How do you coordinate response when your normal communication systems are affected?”

Attack Vector Deep Dive:

• “How did one vulnerability create such widespread impact?”
• “What does this tell us about our network architecture and segmentation?”
• “Why were some systems affected while others remained safe?”

Kill Switch Discovery:

• “Your threat intelligence team reports something unusual about this malware’s behavior…”
• “What if there was a way to stop the spread without removing the malware?”
• “How might threat actors build emergency stops into their own malware?”

Response Phase (Round 3) Facilitation

Multi-Vector Response Strategy:

• “How do you address both the immediate ransomware impact AND prevent further spreading?”
• “What’s your priority - stopping spread, recovering data, or maintaining business operations?”
• “How do you coordinate response across multiple affected locations?”

Global Coordination Element:

• “Other organizations worldwide are sharing information about this attack - how do you participate?”
• “What information would you share, and what would you want from others?”

Advanced Facilitation Techniques

Managing Complexity

For Intermediate Groups:

• Focus on either ransomware OR worm aspects, not both simultaneously
• Provide more guidance about SMB vulnerability and exploitation concepts
• Emphasize team coordination over technical complexity

For Advanced Groups:

• Include attribution discussion (North Korea/Lazarus Group connections)
• Discuss policy implications of nation-state ransomware
• Explore supply chain and critical infrastructure impacts

Global Incident Simulation:

• Introduce time pressure from media attention and regulatory scrutiny
• Include coordination with external agencies and industry partners
• Simulate decision-making about public disclosure and threat intelligence sharing

Real-World Learning Connections

Critical Infrastructure Protection:

• How single vulnerabilities can have cascading global effects
• The importance of network segmentation and defense in depth
• Business continuity planning for widespread system compromise

Vulnerability Management:

• The critical importance of timely security patching
• How threat actors weaponize disclosed vulnerabilities
• Risk assessment and patch prioritization strategies

Crisis Communication:

• Managing stakeholder communication during widespread outages
• Coordinating with law enforcement and regulatory agencies
• Public communication strategies during global incidents

International Cooperation:

• How cybersecurity incidents require global coordination
• Information sharing protocols and threat intelligence networks
• Attribution challenges and geopolitical implications

Assessment and Learning Objectives

Success Indicators

Team Successfully:

• Recognizes dual worm/ransomware nature requiring different response strategies
• Understands network propagation concepts and containment approaches
• Coordinates response to organization-wide emergency with external coordination
• Demonstrates understanding of vulnerability management and patching importance
• Addresses both immediate impact and long-term prevention strategies

Advanced Learning Indicators:

• Discusses attribution and nation-state threat actor implications
• Explores policy and regulatory responses to global cyber incidents
• Considers supply chain and critical infrastructure protection strategies
• Demonstrates understanding of international cybersecurity cooperation

Post-Session Reflection Questions

• “How did the dual nature of this threat (worm + ransomware) complicate response?”
• “What would effective network segmentation have done to limit impact?”
• “How do you balance transparency with security during global incidents?”
• “What lessons does WannaCry teach about vulnerability management?”

Community Contributions and Extensions

Advanced Scenarios

• WannaCry 2.0: What if the kill switch hadn’t existed?
• Critical Infrastructure Variant: Power grid or healthcare-specific impacts
• Attribution Investigation: Following intelligence leads to threat actor identification
• Policy Response: Developing organizational and industry responses to global threats

Real-World Applications

• Vulnerability Management Programs: Using WannaCry timeline to improve patching
• Network Architecture Review: Segmentation strategies to prevent worm propagation
• Crisis Communication Planning: Stakeholder management during widespread outages
• International Cooperation: Participating in global threat intelligence sharing

WannaCry represents the perfect storm of technical vulnerability, widespread deployment, and global impact. It teaches critical lessons about how individual organizational security connects to global cybersecurity resilience.

Raspberry Robin: The USB Propagator

Malmon Profile

Classification: Worm/APT ⭐⭐
Discovery Credit: Red Canary Intelligence Team, 2021
First Documented: September 2021
Threat Level: Intermediate (USB propagation specialist)

Malmon Card Reference

Raspberry Robin

Worm/USB

⭐⭐

Raspberry Robin is a sophisticated malware known for spreading via infected USB drives and Windows shortcuts. It uses a complex infection chain, often involving legitimate tools like msiexec or cmd.exe to download further payloads. Raspberry Robin's infrastructure is highly obfuscated, with connections to various malware ecosystems including ransomware-as-a-service groups. Its evasive techniques and lateral movement capabilities make it a persistent threat in enterprise environments.

🔥

USB Propagation

Spreads through infected removable media with Windows shortcut exploitation

⚡

Complex Infection Chain

Multi-stage deployment using legitimate Windows utilities and QNAP device communication

🔮

Dropper Evolution

Serves as initial access for more sophisticated follow-on malware families

⬆️

Multi-Vector Distribution Platform

Becomes delivery mechanism for multiple advanced threat families

💎

USB Controls

Defeated by removable media restrictions and endpoint monitoring

🔍5

🔒7

📡8

💣6

🥷7

Discovered By:Red Canary

Habitat:USB devices, removable media, Windows environments

Property Icons:

🔍Detection

🔒Persistence

📡Spread

💣Payload

🥷Evasion

Technical Characteristics

MITRE ATT&CK Mapping

• Initial Access: T1091 (Replication Through Removable Media)
• Persistence: T1547.001 (Registry Run Keys/Startup Folder)
• Command and Control: T1071.001 (Application Layer Protocol)

Detailed ATT&CK Analysis

🎯 MITRE ATT&CK Technique Analysis

Technique	Tactic	Description	Mitigation	Detection
T1091 Replication Through Removable Media	Initial Access	Spreads via infected USB drives in targeted environments	USB controls, device management, endpoint protection	USB monitoring, removable media scanning, device tracking
T1071.001 Application Layer Protocol	Command and Control	Uses legitimate services like Discord and Telegram for C2	Network monitoring, application control, traffic analysis	Network traffic analysis, service monitoring, C2 detection
T1547.001 Registry Run Keys/Startup Folder	Persistence	Establishes persistence through Windows registry modifications	Registry monitoring, startup controls, system integrity	Registry monitoring, startup enumeration, persistence scanning

IM Facilitation Notes:

• Use these techniques to guide player investigation questions
• Help players connect evidence to specific ATT&CK techniques
• Highlight type effectiveness relationships in responses
• Encourage discussion of real-world mitigation strategies

Core Capabilities

USB Propagation Mastery:

• Spreads through infected USB drives and removable media
• Creates malicious LNK files that appear as legitimate folders
• Automatically infects new USB devices when inserted
• +3 bonus to spreading in environments with frequent USB usage

Living-off-the-Land Techniques:

• Uses legitimate Windows processes for malicious activities
• Leverages QEMU emulation and Windows utilities
• Avoids dropping obvious malicious files on disk
• +2 bonus against traditional file-based detection

Network Evasion (Hidden Ability):

• Communicates with command and control through legitimate services
• Uses compromised WordPress sites and cloud services
• Employs domain generation algorithms for resilience
• Triggers evolution to more sophisticated APT-level persistence

Type Effectiveness Against Raspberry Robin

Understanding which security controls work best against hybrid Worm/APT threats like Raspberry Robin:

Trojan

Weak to: Detection

Resists: Training

Worm

Weak to: Isolation

Resists: Backup

Ransomware

Weak to: Backup

Resists: Encryption

Rootkit

Weak to: Forensics

Resists: Detection

APT

Weak to: Intelligence

Phishing

Weak to: Training

Botnet

Weak to: Coordination

Infostealer

Weak to: Encryption

Key Strategic Insights for IMs:

• Most Effective: User Education (USB security awareness), Physical Security Controls (USB port management), Behavioral Analysis (detects living-off-the-land techniques)
• Moderately Effective: Network Isolation (limits C2 communication), Threat Intelligence (tracks campaign indicators)
• Least Effective: Signature Detection (uses legitimate processes), Traditional Network Controls (USB propagation), Standard Antivirus (fileless techniques)

Hybrid Type Considerations:
This combines physical propagation with sophisticated techniques - emphasize both physical security awareness and advanced detection capabilities.

Vulnerabilities

USB Dependency:

• Spread requires physical USB media and user interaction
• Limited to environments where removable media is common
• -2 penalty in organizations with strict USB usage policies

User Education Susceptibility:

• Social engineering awareness reduces infection success
• Technical training about USB security limits propagation
• Security policies can effectively prevent initial infection

Facilitation Guide

Pre-Session Preparation

Choose Raspberry Robin When:

• Mixed experience teams learning about physical security and network integration
• USB security and removable media policies need emphasis
• Living-off-the-land techniques should be demonstrated
• Physical/digital security convergence is a learning objective
• User behavior and policy effectiveness need exploration

Avoid Raspberry Robin When:

• Organizations with strict no-USB policies where scenario isn’t relevant
• Purely network-focused training where physical vectors aren’t applicable
• Time-limited sessions where USB propagation complexity might overwhelm

Session Structure Guidance

Discovery Phase (Round 1) Facilitation

Initial Symptoms to Present:

• “Multiple workstations showing suspicious network connections”
• “Users reporting USB drives creating unexpected folders”
• “Security tools detecting legitimate processes behaving unusually”
• “Network monitoring shows connections to compromised WordPress sites”

IM Question Progression:

1. “What connects workstations that don’t normally share network connections?”
2. “How might malware spread without using network vulnerabilities?”
3. “What would make legitimate Windows processes appear suspicious?”
4. “What physical vectors could bypass network security controls?”

Expected Player Discovery Path:

• Detective: Investigates unusual process behavior and network connections
• Protector: Identifies compromise of systems across network segments
• Tracker: Maps communication to external compromise infrastructure
• Communicator: Investigates user reports of USB drive behavior
• Crisis Manager: Coordinates response across physical and digital domains
• Threat Hunter: Discovers living-off-the-land techniques and process injection

USB Vector Revelation: Guide toward: “This appears to be spreading through infected USB drives that users are carrying between systems.”

Investigation Phase (Round 2) Facilitation

Physical/Digital Integration Questions:

• “How do you investigate an attack that bridges physical and digital security?”
• “What policies and technologies address removable media threats?”
• “How would you trace which USB drives have been infected?”

Living-off-the-Land Analysis:

• “Why would attackers use legitimate Windows processes for malicious purposes?”
• “How do you detect malicious use of standard system tools?”
• “What makes this approach effective against traditional security controls?”

Scope Assessment:

• “How far could this have spread through USB sharing?”
• “What systems might be affected that aren’t on your managed network?”
• “How do you assess impact when the attack vector is physical?”

Response Phase (Round 3) Facilitation

Multi-Domain Response Strategy:

• “How do you respond to threats that use both physical and digital vectors?”
• “What coordination is needed between IT, physical security, and user training?”
• “How do you prevent reinfection through continued USB usage?”

Policy and Technical Controls:

• “What combination of technology and policy would prevent future USB-based attacks?”
• “How do you balance security with legitimate business needs for removable media?”
• “What user education is needed to address this type of threat?”

Advanced Facilitation Techniques

Physical Security Integration

Cross-Domain Thinking:

• Help teams understand how physical and digital security interconnect
• Guide discussion of user behavior and policy enforcement
• Explore the challenges of securing mobile devices and removable media

Policy Effectiveness Analysis:

• Discuss how technical controls and organizational policies work together
• Examine the balance between security and usability
• Explore user training and awareness as security controls

Living-off-the-Land Concepts

Legitimate Tool Abuse:

• Help teams understand how attackers use standard tools maliciously
• Guide discussion of behavioral analysis and context-aware detection
• Explore the challenges of distinguishing malicious from legitimate activity

Detection Strategy Development:

• Discuss how traditional signature-based detection fails against these techniques
• Explore behavioral analysis and anomaly detection approaches
• Guide development of detection strategies for dual-use tools

Real-World Learning Connections

USB and Removable Media Security

• Physical security controls for removable media
• Technical solutions for USB security (blocking, monitoring, sandboxing)
• User education and policy development for removable media
• Integration of physical and digital security controls

Living-off-the-Land Defense

• Behavioral analysis and anomaly detection for legitimate tools
• Context-aware security monitoring and alerting
• Whitelist and blacklist approaches for system tool usage
• Advanced threat hunting techniques for dual-use tools

User Behavior and Security Culture

• How user behavior creates or mitigates security risks
• The role of security awareness training in threat prevention
• Balancing security controls with business productivity needs
• Building security culture that addresses both physical and digital threats

Assessment and Learning Objectives

Success Indicators

Team Successfully:

• Recognizes USB propagation as physical/digital convergence threat
• Understands living-off-the-land techniques and detection challenges
• Develops response strategies addressing both technical and policy domains
• Demonstrates understanding of user behavior as security control
• Integrates physical security considerations with digital response

Learning Assessment Questions

• “How does USB propagation change your approach to incident response?”
• “What detection strategies work against living-off-the-land techniques?”
• “How do you balance USB security with legitimate business needs?”
• “What role does user education play in preventing USB-based attacks?”

Community Contributions and Extensions

Advanced Scenarios

• BYOD Environment: USB threats in environments with personal devices
• Air-Gapped Networks: USB as bridge between isolated and connected systems
• Supply Chain Attack: USB devices compromised during manufacturing
• Insider Threat: Malicious use of USB devices by authorized personnel

Real-World Applications

• USB Security Policy Development: Creating comprehensive removable media policies
• Physical Security Integration: Coordinating digital and physical security controls
• User Training Programs: Developing effective security awareness for removable media
• Detection Strategy Enhancement: Implementing behavioral analysis for dual-use tools

Raspberry Robin demonstrates how modern threats blend physical and digital attack vectors, requiring security strategies that address both domains and emphasize the critical role of user behavior in organizational security.

Noodle RAT: The Fileless Ghost

Malmon Profile

Classification: APT/Infostealer ⭐⭐⭐
Discovery Credit: Lena Yu, Cybersecurity Researcher, 2023
First Documented: May 2023
Threat Level: Advanced (Fileless persistence specialist)

Malmon Card Reference

Noodle RAT

RAT/Stealth

⭐⭐

Noodle RAT is a stealthy backdoor malware used by Chinese-speaking threat actors for cyber espionage. It features two core variants—fileless and file-based—both supporting key operations like file uploads, downloads, command execution, and self-deletion. Often deployed via DLL side-loading, Noodle RAT blends into compromised systems and maintains persistence with minimal forensic trace.

🔥

Fileless Persistence

Operates entirely in memory with registry-based persistence mechanisms

⚡

Data Harvesting

Systematic collection of credentials, documents, and system information

🔮

APT Infrastructure

Connected to Chinese APT operations with sophisticated command and control

⬆️

Advanced Espionage Platform

Develops enhanced lateral movement and data exfiltration capabilities

💎

Memory Analysis

Vulnerable to memory forensics and behavioral monitoring techniques

🔍7

🔒8

📡5

💣8

🥷8

Discovered By:Threat Intelligence Researchers

Habitat:Government networks, high-value targets

Property Icons:

🔍Detection

🔒Persistence

📡Spread

💣Payload

🥷Evasion

Technical Characteristics

MITRE ATT&CK Mapping

• Initial Access: T1566.001 (Spearphishing Attachment)
• Defense Evasion: T1055 (Process Injection)
• Exfiltration: T1041 (Exfiltration Over C2 Channel)

Detailed ATT&CK Analysis

🎯 MITRE ATT&CK Technique Analysis

Technique	Tactic	Description	Mitigation	Detection
T1566.001 Spearphishing Attachment	Initial Access	Targets victims through carefully crafted spearphishing campaigns	Email security, user training, attachment scanning	Email analysis, attachment behavior monitoring, user reporting
T1055 Process Injection	Defense Evasion	Injects malicious code into legitimate processes to avoid detection	Process monitoring, memory protection, behavioral analysis	Process behavior monitoring, memory analysis, API monitoring
T1041 Exfiltration Over C2 Channel	Exfiltration	Exfiltrates collected data through encrypted command and control channels	Network monitoring, egress filtering, traffic analysis	Network traffic analysis, C2 communication patterns, data flow monitoring

IM Facilitation Notes:

• Use these techniques to guide player investigation questions
• Help players connect evidence to specific ATT&CK techniques
• Highlight type effectiveness relationships in responses
• Encourage discussion of real-world mitigation strategies

• Exfiltration: T1041 (Exfiltration Over C2 Channel)

Core Capabilities

Fileless Operation:

• Operates entirely in memory without disk-based artifacts
• Uses legitimate system processes for malicious activities
• Persists through registry modifications and scheduled tasks
• +3 bonus against traditional file-based detection systems

Credential Harvesting:

• Dumps passwords from browser stores and system memory
• Captures keystrokes and clipboard contents
• Steals authentication tokens and session cookies
• +2 bonus to credential theft and account compromise

Advanced Evasion (Hidden Ability):

• Uses process hollowing and injection techniques
• Communicates through encrypted channels mimicking legitimate traffic
• Self-destructs when forensic analysis is detected
• Evolves into persistent APT with lateral movement capabilities

Type Effectiveness Against Noodle RAT

Understanding which security controls work best against advanced APT/Infostealer threats like Noodle RAT:

Trojan

Weak to: Detection

Resists: Training

Worm

Weak to: Isolation

Resists: Backup

Ransomware

Weak to: Backup

Resists: Encryption

Rootkit

Weak to: Forensics

Resists: Detection

APT

Weak to: Intelligence

Phishing

Weak to: Training

Botnet

Weak to: Coordination

Infostealer

Weak to: Encryption

Key Strategic Insights for IMs:

• Most Effective: Behavioral Analysis (detects fileless techniques), Memory Forensics (catches process injection), Threat Intelligence (tracks APT campaigns)
• Moderately Effective: Network Monitoring (C2 patterns), Zero Trust Architecture (limits credential reuse), Advanced Endpoint Detection
• Least Effective: Signature Detection (fileless operation), Traditional Antivirus (legitimate process abuse), File-based Analysis (no disk artifacts)

APT/Infostealer Considerations:
This represents sophisticated credential theft operations - emphasize advanced detection, memory analysis, and assumption of compromise approaches.

Vulnerabilities

Memory Analysis Detection:

• Vulnerable to advanced memory forensics and behavioral analysis
• Process injection creates detectable anomalies in system behavior
• -3 penalty when defenders use memory analysis tools

Network Behavioral Analysis:

• Encrypted communications still create detectable patterns
• Command and control traffic has identifiable characteristics
• Vulnerable to network behavioral analysis and traffic correlation

Facilitation Guide

Pre-Session Preparation

Choose Noodle RAT When:

• Advanced teams ready for sophisticated evasion techniques
• Fileless malware and advanced persistence concepts need demonstration
• Credential security and access management focus is desired
• Memory forensics and behavioral analysis techniques should be explored
• APT tactics and stealth operations require illustration

Avoid Noodle RAT When:

• Novice teams who haven’t mastered basic malware detection
• File-based security focus where fileless techniques aren’t relevant
• Time-limited sessions where complexity might prevent adequate exploration

Session Structure Guidance

Discovery Phase (Round 1) Facilitation

Initial Symptoms to Present:

• “Users reporting unexpected password changes and account lockouts”
• “Network monitoring detects encrypted traffic to suspicious domains”
• “No malicious files found despite clear signs of compromise”
• “Legitimate system processes consuming unusual amounts of memory”

IM Question Progression:

1. “How could systems be compromised without any malicious files present?”
2. “What would cause legitimate processes to behave suspiciously?”
3. “How might attackers steal credentials without leaving obvious traces?”
4. “What investigation techniques work when traditional forensics find nothing?”

Expected Player Discovery Path:

• Detective: Analyzes memory dumps and process behavior for injection indicators
• Protector: Investigates credential compromise and access control bypasses
• Tracker: Maps encrypted communications and behavioral network patterns
• Communicator: Assesses user reports of account and authentication issues
• Crisis Manager: Coordinates response to invisible threat with visible impact
• Threat Hunter: Develops techniques for detecting fileless malware and memory-resident threats

Fileless Discovery: Guide toward: “This appears to be a fileless threat operating entirely in memory, making it nearly invisible to traditional detection.”

Investigation Phase (Round 2) Facilitation

Fileless Investigation Techniques:

• “How do you investigate threats that leave no files on disk?”
• “What forensic techniques work for memory-only malware?”
• “How do you preserve evidence of something that exists only in volatile memory?”

Credential Compromise Assessment:

• “How do you determine what credentials have been stolen without obvious indicators?”
• “What accounts and systems might be compromised through stolen credentials?”
• “How do you assess the scope of access an attacker might have gained?”

Advanced Evasion Analysis:

• “How do you detect process injection and hollowing techniques?”
• “What makes encrypted command and control traffic suspicious?”
• “How do you distinguish between legitimate and malicious memory usage?”

Response Phase (Round 3) Facilitation

Specialized Response Techniques:

• “How do you respond to threats that traditional tools can’t detect?”
• “What combination of techniques gives you the best chance of finding memory-resident malware?”
• “How do you ensure complete removal of threats that don’t exist as files?”

Credential Security Response:

• “What immediate steps are needed when credential theft is suspected?”
• “How do you prevent lateral movement using stolen credentials?”
• “What long-term changes are needed to prevent credential-based attacks?”

Advanced Facilitation Techniques

Fileless Malware Education

Memory Forensics Concepts:

• Help teams understand how malware can operate without files
• Guide discussion of memory analysis techniques and tools
• Explore the challenges of preserving volatile evidence

Behavioral Analysis Focus:

• Discuss how behavior-based detection works for fileless threats
• Explore the importance of baseline understanding for anomaly detection
• Guide development of hunting techniques for advanced persistent threats

Credential Security Deep Dive

Access Management Strategy:

• Discuss multi-factor authentication and zero-trust principles
• Explore credential management and privileged access controls
• Guide teams through credential compromise response procedures

Lateral Movement Prevention:

• Help teams understand how stolen credentials enable network traversal
• Discuss network segmentation and access control strategies
• Explore monitoring and detection for credential abuse

Real-World Learning Connections

Advanced Threat Detection

• Memory forensics and behavioral analysis techniques
• Network traffic analysis for encrypted communications
• Process monitoring and injection detection
• Threat hunting methodologies for advanced persistent threats

Credential Security Management

• Multi-factor authentication implementation and management
• Privileged access management and least privilege principles
• Credential monitoring and compromise detection
• Zero-trust architecture and identity-based security

Incident Response Evolution

• Adapting response procedures for fileless and memory-resident threats
• Volatile evidence preservation and memory forensics
• Advanced threat actor tactics and countermeasures
• Coordination between technical analysis and business protection

Assessment and Learning Objectives

Success Indicators

Team Successfully:

• Recognizes fileless malware characteristics and detection challenges
• Understands memory forensics and behavioral analysis concepts
• Develops response strategies for advanced persistent threats
• Demonstrates understanding of credential security and access management
• Coordinates technical analysis with business impact assessment

Advanced Learning Indicators:**

• Discusses threat hunting techniques for memory-resident malware
• Explores zero-trust architecture and identity-based security
• Considers long-term defensive strategies against APT tactics
• Demonstrates understanding of advanced evasion techniques and countermeasures

Post-Session Reflection Questions

• “How does fileless malware change your approach to threat detection?”
• “What detection strategies work against memory-resident threats?”
• “How do you balance security with usability in credential management?”
• “What organizational changes are needed to defend against advanced persistent threats?”

Community Contributions and Extensions

Advanced Scenarios

• Zero-Day Exploitation: Fileless delivery through unknown vulnerabilities
• Living-off-the-Land: Using only legitimate tools for malicious purposes
• Supply Chain Integration: Fileless compromise through trusted software
• Insider Threat: Malicious use of legitimate access and credentials

Strategic Applications

• Threat Hunting Program Development: Building capabilities for advanced threat detection
• Zero-Trust Implementation: Designing identity-based security architectures
• Memory Forensics Training: Developing organizational capabilities for fileless threat analysis
• Credential Security Strategy: Implementing comprehensive access management programs

Noodle RAT represents the cutting edge of malware evasion, demonstrating how advanced threats adapt to security controls and requiring organizations to evolve beyond traditional file-based detection toward behavioral analysis and memory forensics.

LitterDrifter: The Geopolitical Wanderer

Malmon Profile

Classification: Worm/APT ⭐⭐⭐
Discovery Credit: Check Point Research, 2024
First Documented: February 2024
Threat Level: Advanced (Nation-state USB targeting)

Malmon Card Reference

LitterDrifter

Worm/USB

⭐⭐

LitterDrifter is a wormable USB-spreading malware used by the Russia-linked Gamaredon group for espionage campaigns. It infects removable drives to autonomously spread across systems and silently exfiltrate sensitive data. LitterDrifter is modular, persistent, and often disguised as harmless files—making cleanup anything but tidy.

🔥

Removable Media Spreading

Propagates via infected USB drives with geopolitical targeting focus

⚡

Gamaredon Group TTPs

Employs techniques associated with Russian APT group operations

🔮

Intelligence Collection

Gathers system information and documents for potential espionage purposes

⬆️

Regional APT Campaign

Develops into targeted espionage operation with nation-state backing

💎

USB Security Controls

Contained by removable media policies and endpoint detection

🔍6

🔒7

📡8

💣7

🥷6

Discovered By:Check Point Research

Habitat:Government networks, Eastern European targets

Property Icons:

🔍Detection

🔒Persistence

📡Spread

💣Payload

🥷Evasion

Technical Characteristics

MITRE ATT&CK Mapping

• Initial Access: T1091 (Replication Through Removable Media)
• Discovery: T1082 (System Information Discovery)
• Collection: T1113 (Screen Capture)

Detailed ATT&CK Analysis

🎯 MITRE ATT&CK Technique Analysis

Technique	Tactic	Description	Mitigation	Detection
T1091 Replication Through Removable Media	Initial Access	Spreads via USB drives targeting specific geographic regions	USB controls, geopolitical threat awareness, device management	USB monitoring, removable media scanning, geographic analysis
T1113 Screen Capture	Collection	Captures screenshots and monitors user activity	Screen monitoring detection, user privacy controls, behavioral analysis	Screen capture detection, user activity monitoring, privacy alerts
T1082 System Information Discovery	Discovery	Gathers system information and geolocation data for targeting decisions	System monitoring, information controls, privacy protection	System enumeration monitoring, data collection detection

IM Facilitation Notes:

• Use these techniques to guide player investigation questions
• Help players connect evidence to specific ATT&CK techniques
• Highlight type effectiveness relationships in responses
• Encourage discussion of real-world mitigation strategies

Core Capabilities

Geopolitical Targeting:

• Specifically targets Ukrainian government and military organizations
• Contains geographic and linguistic targeting filters
• Designed for wartime intelligence collection and disruption
• +3 bonus to effectiveness against targeted geographic regions

USB Worm Evolution:

• Advances beyond basic USB propagation with sophisticated persistence
• Uses multiple infection vectors including email and network shares
• Implements advanced anti-analysis and evasion techniques
• +2 bonus to persistence and reinfection resistance

Intelligence Collection (Hidden Ability):

• Screenshots sensitive information and documents
• Harvests credentials and authentication tokens
• Maps network infrastructure and organizational relationships
• Evolves into comprehensive espionage platform with geopolitical implications

Type Effectiveness Against LitterDrifter

Understanding which security controls work best against geopolitical Worm/APT threats like LitterDrifter:

Trojan

Weak to: Detection

Resists: Training

Worm

Weak to: Isolation

Resists: Backup

Ransomware

Weak to: Backup

Resists: Encryption

Rootkit

Weak to: Forensics

Resists: Detection

APT

Weak to: Intelligence

Phishing

Weak to: Training

Botnet

Weak to: Coordination

Infostealer

Weak to: Encryption

Key Strategic Insights for IMs:

• Most Effective: Physical Security (USB port controls), Threat Intelligence (geopolitical attribution), User Education (USB security awareness)
• Moderately Effective: Network Isolation (contains spread), Behavioral Analysis (screenshots detection), Air-gap Controls (when properly implemented)
• Least Effective: Signature Detection (constantly evolving), Traditional Antivirus (advanced evasion), Standard Network Monitoring (USB propagation)

Geopolitical Threat Considerations:
This represents nation-state targeting with wartime implications - emphasize strategic response, international coordination, and the intersection of cybersecurity with geopolitical conflict.

Vulnerabilities

Geographic Specificity:

• Limited effectiveness outside targeted geographic regions
• Language and cultural filtering reduces global impact
• -2 penalty when deployed outside intended target environment

Attribution Evidence:

• Code characteristics and targeting suggest specific threat actor
• Geopolitical context provides attribution indicators
• Vulnerable to intelligence analysis and strategic attribution

Facilitation Guide

Pre-Session Preparation

Choose LitterDrifter When:

• Advanced teams ready for nation-state and geopolitical complexity
• Wartime cybersecurity and conflict scenarios are appropriate
• Geographic targeting and cultural context concepts need exploration
• Intelligence operations and espionage understanding is desired
• Attribution and geopolitical analysis should be demonstrated

Avoid LitterDrifter When:

• Sensitive political environments where conflict scenarios might be inappropriate
• Basic USB security focus where geopolitical complexity isn’t needed
• Apolitical training environments where nation-state context might be problematic

Session Structure Guidance

Discovery Phase (Round 1) Facilitation

Initial Symptoms to Present:

• “USB-based malware targeting specific organizational departments”
• “Malware appears designed for specific geographic and linguistic environment”
• “Intelligence collection focused on government and military information”
• “Attack timing correlates with ongoing geopolitical tensions”

IM Question Progression:

1. “What makes this USB attack different from typical malware propagation?”
2. “How does geographic and linguistic targeting change threat assessment?”
3. “What does the timing and targeting suggest about threat actor motivation?”
4. “How do you investigate attacks during active conflict or tension?”

Expected Player Discovery Path:

• Detective: Analyzes code characteristics and targeting specificity
• Protector: Assesses compromise of sensitive government/military systems
• Tracker: Maps intelligence collection and data exfiltration patterns
• Communicator: Evaluates geopolitical implications and stakeholder impact
• Crisis Manager: Coordinates response during heightened threat environment
• Threat Hunter: Develops attribution analysis and strategic threat assessment

Geopolitical Recognition: Guide toward: “This appears to be a nation-state intelligence operation targeting specific organizations during active geopolitical conflict.”

Investigation Phase (Round 2) Facilitation

Wartime Cybersecurity Context:

• “How does active conflict change cybersecurity threat assessment and response?”
• “What additional considerations apply when investigating nation-state attacks during tensions?”
• “How do you coordinate cybersecurity response with national security agencies?”

Attribution and Intelligence Analysis:

• “What evidence helps attribute attacks to specific nation-state actors?”
• “How do you assess threat actor capabilities and strategic objectives?”
• “What does the targeting pattern tell us about intelligence collection priorities?”

Strategic Impact Assessment:

• “How do you evaluate impact when attacks target government and military organizations?”
• “What are the broader implications beyond immediate technical compromise?”
• “How does this attack fit into larger patterns of cyber conflict?”

Response Phase (Round 3) Facilitation

Strategic Cybersecurity Response:

• “How do you respond to nation-state attacks during active conflict?”
• “What coordination is needed between cybersecurity, intelligence, and policy teams?”
• “How do you balance defensive response with strategic considerations?”

Long-Term Strategic Defense:

• “What changes are needed to defend against targeted nation-state campaigns?”
• “How do you prepare for escalation in state-sponsored cyber operations?”
• “What role does international cooperation play in defending against these threats?”

Advanced Facilitation Techniques

Geopolitical Context Management

Sensitivity Awareness:

• Acknowledge the real-world context of ongoing conflicts
• Focus on cybersecurity learning rather than political positions
• Emphasize universal principles of cybersecurity defense
• Avoid taking sides in political or military conflicts

Educational Objectives:

• Help teams understand how geopolitical context affects cybersecurity
• Guide discussion of nation-state threat actor capabilities and motivations
• Explore the intersection of cybersecurity and national security
• Discuss attribution challenges and intelligence analysis methods

Conflict Cybersecurity Concepts

Wartime Considerations:

• Discuss how conflict environments change threat landscapes
• Explore coordination between cybersecurity and national security
• Guide teams through threat prioritization during heightened tensions
• Address intelligence sharing and international cooperation

Strategic Attribution:

• Help teams understand how technical and strategic attribution work together
• Discuss the role of intelligence agencies in cybersecurity incidents
• Explore the challenges of attribution during active conflicts
• Guide analysis of threat actor capabilities, motivations, and opportunities

Real-World Learning Connections

Nation-State Threat Analysis

• Understanding state-sponsored threat actor capabilities and motivations
• Strategic attribution using technical, tactical, and geopolitical indicators
• Intelligence analysis and confidence assessment methodologies
• Coordination between cybersecurity and national security communities

Conflict Cybersecurity

• How active conflicts change cybersecurity threat environments
• Defensive strategies for organizations in conflict zones
• International cooperation and mutual assistance during cyber conflicts
• Resilience planning for nation-state and wartime threats

Geographic and Cultural Targeting

• How threat actors use geographic and linguistic targeting
• Cultural and linguistic indicators in malware analysis
• Regional threat assessment and contextual analysis
• International coordination for geographically targeted threats

Assessment and Learning Objectives

Success Indicators

Team Successfully:

• Recognizes nation-state characteristics and geopolitical targeting
• Understands conflict cybersecurity and wartime threat considerations
• Develops attribution analysis using multiple intelligence indicators
• Demonstrates coordination between cybersecurity and strategic response
• Addresses international cooperation and intelligence sharing concepts

Advanced Learning Indicators:**

• Discusses strategic implications of nation-state cyber operations
• Explores coordination with intelligence and national security agencies
• Considers long-term geopolitical implications of cyber conflict
• Demonstrates understanding of attribution confidence and assessment methods

Post-Session Reflection Questions

• “How does geopolitical conflict change cybersecurity priorities and methods?”
• “What attribution evidence is most reliable for nation-state actors?”
• “How should organizations coordinate with government agencies during nation-state attacks?”
• “What lessons does this teach about the intersection of cybersecurity and international relations?”

Community Contributions and Extensions

Advanced Scenarios

• Critical Infrastructure Targeting: Nation-state attacks on essential services
• Supply Chain Compromise: State-sponsored attacks through trusted vendors
• Disinformation Integration: Cyber attacks combined with information operations
• International Response: Coordinated defense against state-sponsored campaigns

Strategic Applications

• Threat Intelligence Programs: Building capabilities for nation-state threat analysis
• Government Coordination: Developing relationships with national security agencies
• International Cooperation: Participating in global cybersecurity mutual assistance
• Strategic Defense Planning: Preparing for escalation in state-sponsored cyber operations

LitterDrifter demonstrates how cybersecurity incidents can be inseparable from geopolitical conflicts, requiring defenders to understand not just technical aspects but also strategic, intelligence, and international relations dimensions of cyber threats.

FakeBat: The Software Masquerader

Malmon Profile

Classification: Trojan/Stealth ⭐⭐
Discovery Credit: Security researchers, 2022
First Documented: 2022
Threat Level: Intermediate (Software distribution specialist)

Malmon Card Reference

FakeBat

Trojan/Loader

⭐⭐

FakeBat is a deceptive malware loader known for distributing ransomware and infostealers like RedLine and Lumma. Masquerading as software installers, it tricks users into executing malicious scripts embedded in fake .bat or .lnk files. After a brief disappearance, FakeBat resurfaced in 2024—proving that fakes never stay gone for long.

🔥

Software Masquerading

Disguises as legitimate software installers and updates with convincing interfaces

⚡

Loader Functionality

Downloads and executes additional malware payloads after successful installation

🔮

Anti-Analysis Techniques

Employs sandbox evasion and virtual machine detection to avoid analysis

⬆️

Multi-Stage Attack Platform

Becomes delivery mechanism for sophisticated malware campaigns

💎

Signature Detection

Known variants can be identified and blocked by updated security tools

🔍4

🔒6

📡7

💣8

🥷7

Discovered By:Malware Researchers

Habitat:Fake software websites, malicious advertisements

Property Icons:

🔍Detection

🔒Persistence

📡Spread

💣Payload

🥷Evasion

Technical Characteristics

MITRE ATT&CK Mapping

• Initial Access: T1189 (Drive-by Compromise)
• Defense Evasion: T1027 (Obfuscated Files or Information)
• Collection: T1005 (Data from Local System)

Detailed ATT&CK Analysis

🎯 MITRE ATT&CK Technique Analysis

Technique	Tactic	Description	Mitigation	Detection
T1027 Obfuscated Files or Information	Defense Evasion	Uses multiple layers of obfuscation to evade detection systems	Code analysis tools, behavioral detection, sandboxing	Static analysis, entropy analysis, deobfuscation tools
T1189 Drive-by Compromise	Initial Access	Compromises victims through malicious advertisements and fake software updates	Web browser security, ad blocking, user education	Web traffic monitoring, browser behavior analysis, download monitoring
T1005 Data from Local System	Collection	Collects sensitive information from infected systems	Data loss prevention, access controls, file monitoring	File access monitoring, data collection patterns, DLP alerts

IM Facilitation Notes:

• Use these techniques to guide player investigation questions
• Help players connect evidence to specific ATT&CK techniques
• Highlight type effectiveness relationships in responses
• Encourage discussion of real-world mitigation strategies

Core Capabilities

Software Masquerading Excellence:

• Perfectly mimics legitimate software installers and updates
• Uses authentic-looking websites and download pages
• Employs social engineering to convince users of legitimacy
• +3 bonus to user deception and voluntary installation

Multi-Stage Loader Framework:

• Downloads and deploys additional payloads after initial infection
• Can deliver various malware families based on target assessment
• Adapts payload based on system configuration and user behavior
• +2 bonus to secondary payload deployment and persistence

Browser Hijacking Capabilities (Hidden Ability):

• Modifies browser settings and redirects web traffic
• Injects malicious advertisements and fake download prompts
• Creates persistent web-based infection vectors
• Triggers evolution to comprehensive browser-based attack platform

Type Effectiveness Against FakeBat

Understanding which security controls work best against Trojan-type software masqueraders like FakeBat:

Trojan

Weak to: Detection

Resists: Training

Worm

Weak to: Isolation

Resists: Backup

Ransomware

Weak to: Backup

Resists: Encryption

Rootkit

Weak to: Forensics

Resists: Detection

APT

Weak to: Intelligence

Phishing

Weak to: Training

Botnet

Weak to: Coordination

Infostealer

Weak to: Encryption

Key Strategic Insights for IMs:

• Most Effective: User Education (software verification training), Digital Signature Verification (defeats masquerading), Behavioral Analysis (detects installation anomalies)
• Moderately Effective: Browser Security (blocks malicious sites), System Restoration (removes installed components), Network Monitoring (C2 detection)
• Least Effective: Signature Detection (new variants), Air-gap Controls (user-initiated installation), Physical Security (software-based delivery)

Software Masquerading Considerations:
This represents social engineering through fake software - emphasize user education, software verification processes, and the importance of official distribution channels.

Vulnerabilities

User Education Effectiveness:

• Security awareness training significantly reduces infection success
• Technical users more likely to recognize deception indicators
• -2 penalty when users are trained to verify software authenticity

Download Verification Weakness:

• Digital signature verification defeats most masquerading attempts
• Official software distribution channels bypass deception entirely
• Hash verification and reputation checking prevent execution

Facilitation Guide

Pre-Session Preparation

Choose FakeBat When:

• Mixed experience teams learning about software security and user education
• Browser security and web-based threats need emphasis
• Social engineering and user behavior should be demonstrated
• Software distribution security is a learning objective
• Multi-stage attack progression concepts should be taught

Avoid FakeBat When:

• Highly technical teams seeking advanced technical challenges
• Network-focused training where endpoint threats aren’t the priority
• Organizations with strict software installation controls where scenario isn’t realistic

Session Structure Guidance

Discovery Phase (Round 1) Facilitation

Initial Symptoms to Present:

• “Users reporting unexpected browser behavior and redirected web searches”
• “Multiple installations of software that users don’t remember downloading”
• “Browser performance degradation and persistent unwanted advertisements”
• “Help desk calls about ‘critical software updates’ that users installed”

IM Question Progression:

1. “What connects browser problems with software installation activities?”
2. “How might malware convince users to install it voluntarily?”
3. “What would make fake software appear legitimate to users?”
4. “How do attackers exploit trust in software update processes?”

Expected Player Discovery Path:

• Detective: Investigates software installation patterns and browser modifications
• Protector: Identifies unauthorized software installations and system changes
• Tracker: Maps network connections to malicious download infrastructure
• Communicator: Interviews users about software installation decisions and experiences
• Crisis Manager: Coordinates response to user-driven security compromise
• Threat Hunter: Investigates multi-stage payload deployment and browser persistence

Software Masquerading Revelation: Guide toward: “This appears to be malware that convinces users to install it by pretending to be legitimate software.”

Investigation Phase (Round 2) Facilitation

User Behavior Analysis:

• “How do you investigate when users voluntarily installed the malware?”
• “What made the fake software convincing enough that users trusted it?”
• “How do you assess which users might have been affected by similar deception?”

Multi-Stage Attack Assessment:

• “What additional threats might be deployed after this initial infection?”
• “How do you investigate when the initial malware is just a delivery mechanism?”
• “What browser changes create ongoing security risks?”

Distribution Infrastructure Analysis:

• “How do attackers create convincing fake software distribution sites?”
• “What technical and social engineering elements make this deception effective?”
• “How would you disrupt the distribution infrastructure?”

Response Phase (Round 3) Facilitation

User-Centered Response Strategy:

• “How do you respond to threats that exploit user trust and behavior?”
• “What combination of technical controls and user education prevents future infections?”
• “How do you balance user autonomy with security protection?”

Browser Security Enhancement:

• “What browser security settings and extensions help prevent fake software downloads?”
• “How do you secure web browsing without completely restricting user access?”
• “What ongoing monitoring detects browser-based persistence mechanisms?”

Advanced Facilitation Techniques

Social Engineering Focus

User Psychology Analysis:

• Help teams understand why users fall for software masquerading
• Guide discussion of trust indicators and authority exploitation
• Explore the balance between user convenience and security verification

Deception Technique Analysis:

• Discuss how attackers create convincing fake websites and download pages
• Explore the use of legitimate branding and social proof in deception
• Guide examination of technical and psychological manipulation tactics

Software Security Integration

Secure Software Distribution:

• Help teams understand legitimate software distribution security
• Guide discussion of digital signatures, certificates, and verification processes
• Explore enterprise software management and controlled installation procedures

Browser Security Architecture:

• Discuss browser security features and extension ecosystems
• Explore the challenges of balancing functionality with security
• Guide development of browser security policies and user guidelines

Real-World Learning Connections

User Education and Behavior

• Security awareness training design and effectiveness measurement
• User behavior analysis and risk assessment
• Trust verification training and procedure development
• Social engineering resistance and skepticism cultivation

Software Security Management

• Enterprise software installation policies and procedures
• Digital signature verification and certificate management
• Software distribution security and supply chain protection
• Application whitelisting and controlled execution environments

Browser Security and Web Protection

• Browser security configuration and policy management
• Web filtering and reputation-based protection systems
• Extension security and browser hardening techniques
• Web-based threat detection and response capabilities

Assessment and Learning Objectives

Success Indicators

Team Successfully:

• Recognizes software masquerading as user-targeted social engineering
• Understands multi-stage attack progression and payload deployment
• Develops response strategies addressing both technical and human factors
• Demonstrates understanding of browser security and web-based persistence
• Integrates user education with technical security controls

Learning Assessment Questions

• “How does software masquerading change your approach to user education?”
• “What technical controls effectively prevent fake software installation?”
• “How do you balance user autonomy with security protection requirements?”
• “What ongoing monitoring detects browser-based persistence and modification?”

Community Contributions and Extensions

Advanced Scenarios

• Enterprise Environment: FakeBat in organizations with managed software distribution
• BYOD Challenges: Personal device infections affecting corporate networks
• Supply Chain Variant: Compromise of legitimate software distribution channels
• Mobile Platform: Similar deception techniques targeting mobile app stores

Real-World Applications

• User Training Enhancement: Developing effective software security awareness programs
• Browser Security Policy: Creating comprehensive web browsing security guidelines
• Software Distribution Security: Implementing secure enterprise software management
• Deception Detection: Training users to identify and verify software authenticity

FakeBat demonstrates how modern threats exploit user trust and software distribution mechanisms, teaching important lessons about the intersection of technical security controls, user behavior, and organizational policy in comprehensive cybersecurity defense.

WireLurker: The Cross-Platform Bridge

Malmon Profile

Classification: Trojan/Cross-Platform ⭐⭐
Discovery Credit: Palo Alto Networks Unit 42, 2014
First Documented: November 2014
Threat Level: Intermediate (iOS/macOS cross-infection specialist)

Malmon Card Reference

WireLurker

Cross-Platform/Mobile

⭐⭐

WireLurker is a sophisticated cross-platform malware that targets both macOS and iOS devices through USB connections. Discovered in 2014, WireLurker was notable for being one of the first malware families to successfully jump between Mac computers and iOS devices. It used stolen enterprise certificates to bypass Apple's security restrictions and install malicious apps on connected iPhones and iPads. WireLurker represented a significant evolution in mobile malware, demonstrating how attackers could bridge the gap between desktop and mobile ecosystems.

🔥

Cross-Platform Infection

Spreads between macOS and iOS devices via USB connections

⚡

Enterprise Certificate Abuse

Uses legitimate enterprise certificates to bypass iOS security restrictions

🔮

Mobile Data Harvesting

Collects contacts, SMS messages, and device information from infected iOS devices

⬆️

Advanced Mobile Threat

Develops sophisticated iOS exploitation and data exfiltration capabilities

💎

Certificate Revocation

Neutralized when Apple revokes the abused enterprise certificates

🔍5

🔒7

📡8

💣7

🥷8

Discovered By:Palo Alto Networks

Habitat:macOS systems, iOS devices, Chinese app stores

Property Icons:

🔍Detection

🔒Persistence

📡Spread

💣Payload

🥷Evasion

Technical Characteristics

MITRE ATT&CK Mapping

• Initial Access: T1566.001 (Spearphishing Attachment), T1195.002 (Compromise Software Supply Chain)
• Execution: T1204.002 (Malicious File)
• Persistence: T1547.001 (Registry Run Keys/Startup Folder), T1543.001 (Launch Agent)
• Privilege Escalation: T1068 (Exploitation for Privilege Escalation)
• Defense Evasion: T1027 (Obfuscated Files), T1553.002 (Code Signing)
• Discovery: T1082 (System Information Discovery), T1120 (Peripheral Device Discovery)
• Lateral Movement: T1091 (Replication Through Removable Media)
• Collection: T1005 (Data from Local System), T1115 (Clipboard Data)
• Command and Control: T1071.001 (Application Layer Protocol)

Core Capabilities

Cross-Platform Infection:

• Spreads from infected macOS systems to connected iOS devices
• Uses USB connections and iTunes synchronization for propagation
• Installs malicious enterprise certificates on iOS devices
• +3 bonus to spreading in mixed Apple ecosystem environments

Enterprise Certificate Abuse:

• Uses stolen enterprise certificates to bypass iOS security
• Installs unsigned applications on non-jailbroken devices
• Circumvents Apple’s App Store security model
• +2 bonus against iOS security controls and app sandboxing

Supply Chain Infiltration (Hidden Ability):

• Distributed through compromised third-party app stores
• Embeds in legitimate-appearing macOS applications
• Uses trusted developer certificates for initial installation
• Triggers evolution to broader supply chain compromise

Type Effectiveness Against WireLurker

Understanding which security controls work best against cross-platform Trojan threats like WireLurker:

Trojan

Weak to: Detection

Resists: Training

Worm

Weak to: Isolation

Resists: Backup

Ransomware

Weak to: Backup

Resists: Encryption

Rootkit

Weak to: Forensics

Resists: Detection

APT

Weak to: Intelligence

Phishing

Weak to: Training

Botnet

Weak to: Coordination

Infostealer

Weak to: Encryption

Key Strategic Insights for IMs:

• Most Effective: Mobile Device Management (certificate control), Physical Security (USB port management), User Education (third-party app risks)
• Moderately Effective: Behavioral Analysis (cross-device activity), System Monitoring (iTunes sync anomalies), Certificate Management (revocation response)
• Least Effective: Traditional Antivirus (certificate-signed apps), Network Controls (USB propagation), Signature Detection (legitimate certificates)

Cross-Platform Considerations:
This represents ecosystem-specific threats - emphasize mobile security policies, certificate management, and the risks of mixing enterprise and personal devices.

Vulnerabilities

Apple Ecosystem Dependency:

• Only effective in environments with macOS and iOS devices
• Requires USB connectivity and iTunes synchronization
• -3 penalty in non-Apple or strictly separated device environments

Certificate Revocation Response:

• Apple certificate revocation immediately neutralizes iOS payload
• Enterprise certificate management provides detection opportunities
• Vulnerable to mobile device management (MDM) controls

Facilitation Guide

Pre-Session Preparation

Choose WireLurker When:

• Mixed-platform environments with Apple devices need attention
• Mobile device security concepts should be demonstrated
• Supply chain security is a learning objective
• Cross-platform threat propagation needs exploration
• BYOD security challenges require illustration

Avoid WireLurker When:

• Windows-only environments where Apple threats aren’t relevant
• Strictly controlled device environments where scenario seems unrealistic
• Network-focused training where endpoint threats aren’t the priority

Session Structure Guidance

Discovery Phase (Round 1) Facilitation

Initial Symptoms to Present:

• “iPhone users reporting unexpected app installations”
• “macOS systems showing signs of compromise and unusual network activity”
• “Mobile device management alerts about unauthorized certificates”
• “Reports of apps appearing that aren’t from the official App Store”

IM Question Progression:

1. “How could unauthorized apps appear on non-jailbroken iPhones?”
2. “What connects compromised Mac computers with iPhone infections?”
3. “How might attackers bypass Apple’s security model without jailbreaking?”
4. “What would make users trust and install suspicious mobile applications?”

Expected Player Discovery Path:

• Detective: Investigates unusual certificate installations and app behaviors
• Protector: Identifies compromise bridging macOS and iOS platforms
• Tracker: Maps USB-based propagation and cross-platform communication
• Communicator: Assesses user confusion about legitimate vs. malicious apps
• Crisis Manager: Coordinates response across different device platforms
• Threat Hunter: Discovers enterprise certificate abuse and supply chain elements

Cross-Platform Revelation: Guide toward: “This appears to be jumping from Mac computers to iPhones through USB connections.”

Investigation Phase (Round 2) Facilitation

Cross-Platform Security Questions:

• “How do you investigate threats that affect multiple operating systems?”
• “What makes cross-platform attacks particularly challenging to defend against?”
• “How do you coordinate security between desktop and mobile devices?”

Certificate and Trust Model Analysis:

• “How do enterprise certificates work, and why would attackers target them?”
• “What happens when users trust malicious certificates on mobile devices?”
• “How do you detect abuse of legitimate security mechanisms?”

Supply Chain Investigation:

• “How would you determine if this came from compromised software distribution?”
• “What does it mean when trusted app stores distribute malicious software?”
• “How do you verify the integrity of software supply chains?”

Response Phase (Round 3) Facilitation

Multi-Platform Response Strategy:

• “How do you respond to threats affecting both computers and mobile devices?”
• “What coordination is needed between desktop IT and mobile device management?”
• “How do you prevent reinfection across connected devices?”

Certificate Management Response:

• “How do you identify and revoke malicious certificates?”
• “What mobile device management controls would prevent this type of attack?”
• “How do you rebuild trust after certificate compromise?”

Advanced Facilitation Techniques

Cross-Platform Security Concepts

Device Ecosystem Thinking:

• Help teams understand how connected devices create attack surfaces
• Guide discussion of trust relationships between different platforms
• Explore the challenges of securing heterogeneous device environments

Mobile Security Integration:

• Discuss how mobile devices integrate with enterprise security
• Explore the balance between device usability and security controls
• Guide development of policies for personal devices in work environments

Supply Chain Security

Trust and Verification:

• Help teams understand how software distribution creates security dependencies
• Guide discussion of code signing and certificate validation
• Explore the challenges of verifying software integrity across supply chains

Third-Party Risk Management:

• Discuss how organizations assess and manage third-party software risks
• Explore vendor security assessment and ongoing monitoring
• Guide development of supply chain security strategies

Real-World Learning Connections

Mobile Device Security

• Enterprise mobility management and mobile device policies
• iOS and Android security models and their limitations
• BYOD (Bring Your Own Device) security challenges and solutions
• Mobile application security and app store trust models

Certificate and Trust Management

• Public key infrastructure (PKI) and certificate authority systems
• Enterprise certificate management and monitoring
• Code signing and software integrity verification
• Mobile device certificate deployment and management

Cross-Platform Security Strategy

• Coordinating security across different operating systems and devices
• Integration of endpoint and mobile device management systems
• Policy development for heterogeneous device environments
• Incident response for multi-platform compromises

Assessment and Learning Objectives

Success Indicators

Team Successfully:

• Recognizes cross-platform propagation as distinct threat vector
• Understands certificate abuse and mobile security bypass techniques
• Develops response strategies coordinating desktop and mobile security
• Demonstrates understanding of supply chain compromise risks
• Integrates mobile device management with traditional endpoint security

Learning Assessment Questions

• “How does cross-platform propagation change your security architecture?”
• “What controls prevent abuse of enterprise certificates and app signing?”
• “How do you balance mobile device usability with security requirements?”
• “What supply chain security measures would prevent distribution of malicious apps?”

Community Contributions and Extensions

Advanced Scenarios

• BYOD Environment: WireLurker in organizations with extensive personal device usage
• Supply Chain Attack: Broader compromise of software distribution infrastructure
• APT Mobile Campaign: State-sponsored actors using cross-platform techniques
• IoT Integration: Cross-platform threats affecting Internet of Things devices

Real-World Applications

• Mobile Security Policy Development: Creating comprehensive BYOD and device management policies
• Certificate Management Strategy: Implementing enterprise certificate monitoring and response
• Supply Chain Security Assessment: Evaluating and improving software supply chain integrity
• Cross-Platform Incident Response: Developing procedures for multi-platform compromises

WireLurker demonstrates how modern threats transcend traditional platform boundaries, requiring security strategies that address the interconnected nature of personal and enterprise device ecosystems.

LockBit: The Ransomware Empire

Malmon Profile

Classification: Ransomware/Criminal ⭐⭐⭐
Discovery Credit: Multiple security vendors, 2019
First Documented: September 2019
Threat Level: Advanced (Ransomware-as-a-Service operation)

Malmon Card Reference

LockBit

Ransomware/Criminal

⭐⭐⭐

LockBit is a sophisticated ransomware-as-a-service operation that became one of the most prolific ransomware families. Operating through affiliate networks, LockBit combines rapid file encryption with data theft for double extortion tactics. Its professional criminal infrastructure includes customer support, negotiation services, and automated payment systems. LockBit's efficiency and widespread deployment made it a dominant threat in the ransomware landscape until major law enforcement disruptions in 2024.

🔥

Ransomware-as-a-Service

Professional criminal operation with affiliate network and customer support

⚡

Double Extortion

Combines file encryption with data theft for increased payment pressure

🔮

Rapid Encryption

Extremely fast file encryption algorithms minimize detection window

⬆️

Criminal Enterprise

Expands into multiple criminal services with international reach

💎

Backup Systems

Defeated by comprehensive, tested backup and recovery procedures

🔍5

🔒7

📡8

💣10

🥷7

Discovered By:Security Vendors

Habitat:Enterprise networks, high-value targets

Property Icons:

🔍Detection

🔒Persistence

📡Spread

💣Payload

🥷Evasion

Technical Characteristics

MITRE ATT&CK Mapping

• Initial Access: T1566.001 (Spearphishing Attachment)
• Lateral Movement: T1210 (Exploitation of Remote Services)
• Impact: T1486 (Data Encrypted for Impact)

Detailed ATT&CK Analysis

🎯 MITRE ATT&CK Technique Analysis

Technique	Tactic	Description	Mitigation	Detection
T1566.001 Spearphishing Attachment	Initial Access	Initial access through malicious email attachments and compromised RDP	Email security, RDP hardening, multi-factor authentication	Email analysis, RDP monitoring, authentication logging
T1210 Exploitation of Remote Services	Lateral Movement	Exploits vulnerabilities in remote services for network propagation	Patch management, network segmentation, service hardening	Network monitoring, exploit detection, vulnerability scanning
T1486 Data Encrypted for Impact	Impact	Encrypts files using advanced encryption and demands ransom payment	Backup systems, file monitoring, incident response planning	File modification monitoring, encryption behavior, ransom notes

IM Facilitation Notes:

• Use these techniques to guide player investigation questions
• Help players connect evidence to specific ATT&CK techniques
• Highlight type effectiveness relationships in responses
• Encourage discussion of real-world mitigation strategies

Core Capabilities

Ransomware-as-a-Service Model:

• Sophisticated affiliate program with profit sharing
• Automated deployment and management tools
• Professional customer support for victims
• +3 bonus to organizational disruption and profit generation

Double Extortion Strategy:

• Encrypts files AND steals sensitive data before encryption
• Threatens public release of stolen data if ransom isn’t paid
• Uses leaked data as additional pressure for payment
• +2 bonus to victim compliance and payment success

StealBit Data Theft Module (Hidden Ability):

• Automatically identifies and exfiltrates valuable data
• Targets specific file types and sensitive information
• Uploads stolen data to attacker-controlled infrastructure
• Triggers evolution to triple extortion with DDoS attacks

Type Effectiveness Against LockBit

Understanding which security controls work best against advanced Ransomware threats like LockBit:

Trojan

Weak to: Detection

Resists: Training

Worm

Weak to: Isolation

Resists: Backup

Ransomware

Weak to: Backup

Resists: Encryption

Rootkit

Weak to: Forensics

Resists: Detection

APT

Weak to: Intelligence

Phishing

Weak to: Training

Botnet

Weak to: Coordination

Infostealer

Weak to: Encryption

Key Strategic Insights for IMs:

• Most Effective: Backup Systems (defeats encryption), Business Continuity Planning, Network Isolation (prevents spread)
• Moderately Effective: Behavioral Analysis (detects encryption activities), System Restoration, Law Enforcement Coordination
• Least Effective: Signature Detection (constantly evolving), User Education (professional operations), Payment/Negotiation

Ransomware-as-a-Service Considerations:
This represents professional criminal operations - emphasize business continuity, backup integrity, and coordinated response over technical containment alone.

Vulnerabilities

Law Enforcement Disruption:

• Centralized infrastructure creates single points of failure
• International cooperation can disrupt operations
• -3 penalty when coordinated law enforcement action occurs

Backup and Recovery Resilience:

• Organizations with tested offline backups can recover without payment
• Business continuity planning reduces impact
• Immutable backup systems defeat encryption attacks

Facilitation Guide

Pre-Session Preparation

Choose LockBit When:

• Advanced teams ready for sophisticated criminal operations
• Business continuity and crisis management concepts need emphasis
• Double extortion and data protection should be demonstrated
• Organizational decision-making under pressure is a learning objective
• Law enforcement coordination scenarios are desired

Avoid LockBit When:

• New teams who haven’t mastered basic ransomware response
• Technical-only focus where business impact isn’t relevant
• Organizations uncomfortable with payment/compliance discussions

Session Structure Guidance

Discovery Phase (Round 1) Facilitation

Initial Symptoms to Present:

• “All workstations displaying identical ransom messages”
• “File servers showing widespread file encryption”
• “Threat actors contacted executives directly about stolen data”
• “Business operations completely halted across all locations”

IM Question Progression:

1. “What distinguishes this from typical ransomware attacks?”
2. “How does data theft change the threat landscape?”
3. “What does professional criminal operation suggest about capabilities?”
4. “How do you respond when attackers have already stolen your data?”

Double Extortion Revelation: Introduce: “The attackers are threatening to publish your stolen customer data if you don’t pay within 72 hours…”

Investigation Phase (Round 2) Facilitation

Business Impact Assessment:

• “How do you calculate the cost of data exposure versus ransom payment?”
• “What stakeholders need to be involved in payment decisions?”
• “How do you assess damage when both encryption and theft occurred?”

Criminal Operation Analysis:

• “What does the sophistication of this operation tell us about the threat actors?”
• “How do you investigate when facing professional criminal enterprises?”
• “What law enforcement resources might be available for this type of threat?”

Response Phase (Round 3) Facilitation

Strategic Decision Making:

• “How do you balance immediate recovery with long-term security?”
• “What factors determine whether to involve law enforcement?”
• “How do you coordinate response when facing multiple simultaneous threats?”

Recovery and Prevention:

• “What changes are needed to prevent future ransomware success?”
• “How do you rebuild stakeholder confidence after a major breach?”

LockBit represents the professionalization of cybercrime, teaching lessons about business continuity, crisis decision-making, and the evolving landscape of financially motivated threats.

Legacy Malmons

🕰️ Code Red: The Internet Worm

Malmon Profile

Classification: 🕰️ Legacy Worm/Infrastructure ⭐⭐
Discovery Credit: eEye Digital Security, 2001
First Documented: July 13, 2001
Threat Level: Intermediate (Internet infrastructure threat)

Malmon Card Reference

LEGACY

Code Red

Worm/Web Server

⭐⭐

Code Red is a pioneering computer worm that emerged in 2001, targeting Microsoft IIS web servers across the internet. Using a buffer overflow vulnerability, it rapidly replicated itself while defacing web pages with pro-China messages. Code Red demonstrated the potential for internet-wide automated attacks and influenced modern worm design principles. At its peak, Code Red infected over 400,000 servers within hours, making it one of the first major internet security incidents.

🔥

Web Server Exploitation

Targets Microsoft IIS web servers via buffer overflow vulnerability

⚡

Rapid Internet Propagation

Self-replicating across internet infrastructure with exponential growth potential

🔮

DDoS Coordination

Infected systems coordinate distributed denial of service attacks

⬆️

Internet Infrastructure Threat

Achieves massive scale with potential to disrupt internet services

💎

Patch Management

Completely prevented by applying Microsoft security updates

🔍3

🔒5

📡10

💣6

🥷4

Discovered By:eEye Digital Security

Habitat:Windows IIS web servers, internet-facing systems

Property Icons:

🔍Detection

🔒Persistence

📡Spread

💣Payload

🥷Evasion

Technical Characteristics

MITRE ATT&CK Mapping

• Initial Access: T1190 (Exploit Public-Facing Application)
• Impact: T1498 (Network Denial of Service)
• Command and Control: T1105 (Ingress Tool Transfer)

Detailed ATT&CK Analysis

🎯 MITRE ATT&CK Technique Analysis

Technique	Tactic	Description	Mitigation	Detection
T1190 Exploit Public-Facing Application	Initial Access	Exploits IIS web server vulnerabilities for initial compromise	Web application firewalls, patch management, server hardening	Web server monitoring, exploit detection, traffic analysis
T1498 Network Denial of Service	Impact	Launches coordinated DDoS attacks against target infrastructure	DDoS protection, traffic filtering, capacity planning	Traffic analysis, bandwidth monitoring, attack pattern recognition
T1105 Ingress Tool Transfer	Command and Control	Downloads additional malware components and updates	Network monitoring, application control, traffic analysis	Download monitoring, C2 detection, file analysis

IM Facilitation Notes:

• Use these techniques to guide player investigation questions
• Help players connect evidence to specific ATT&CK techniques
• Highlight type effectiveness relationships in responses
• Encourage discussion of real-world mitigation strategies

Core Capabilities

Internet-Scale Propagation:

• Exploits buffer overflow in Microsoft IIS web servers
• Scans and infects vulnerable systems across the entire internet
• Self-replicates without any user interaction required
• +3 bonus to rapid spreading in environments with unpatched web servers

Coordinated DDoS Attack:

• Infected systems coordinate to attack predetermined targets
• Creates massive distributed denial of service capabilities
• Demonstrates early botnet-like coordination
• +2 bonus to infrastructure disruption and service availability impact

Memory-Only Persistence (Hidden Ability):

• Operates entirely in system memory without creating files
• Disappears on system restart but immediately reinfects from other sources
• Makes traditional file-based detection and removal ineffective
• Triggers evolution to more sophisticated fileless malware techniques

Type Effectiveness Against Code Red

Understanding which security controls work best against Worm-type infrastructure threats like Code Red:

Trojan

Weak to: Detection

Resists: Training

Worm

Weak to: Isolation

Resists: Backup

Ransomware

Weak to: Backup

Resists: Encryption

Rootkit

Weak to: Forensics

Resists: Detection

APT

Weak to: Intelligence

Phishing

Weak to: Training

Botnet

Weak to: Coordination

Infostealer

Weak to: Encryption

Key Strategic Insights for IMs:

• Most Effective: Patch Management (prevents initial infection), Network Isolation (blocks propagation), Signature Detection (known exploit pattern)
• Moderately Effective: System Restoration (temporary mitigation), Behavioral Analysis (detects scanning activity)
• Least Effective: User Education (no user interaction required), Backup Systems (doesn’t address propagation), Forensic Analysis (memory-only operation)

Historical Worm Considerations:
This represents early internet-scale threats - emphasize rapid patch deployment, network monitoring, and coordinated response across infrastructure.

Vulnerabilities

Patch Dependency:

• Completely prevented by installing Microsoft security updates
• Vulnerable only to systems missing critical IIS patches
• -3 penalty when facing current patch management practices

Restart Mitigation:

• System reboot temporarily removes infection
• No persistent file presence means temporary disruption effectiveness
• Vulnerable to coordinated restart and patching responses

Facilitation Guide

Pre-Session Preparation

Choose Code Red When:

• Web server and internet infrastructure security concepts need emphasis
• Coordinated internet-scale attacks should be demonstrated
• Patch management and vulnerability response require illustration
• Historical perspective on internet security evolution is valuable
• Botnet concepts and DDoS attacks need introduction

Avoid Code Red When:

• Modern threat landscapes where historical attacks seem irrelevant
• Organizations without web-facing infrastructure where scenario doesn’t apply
• Endpoint-focused training where server security isn’t the priority

Session Structure Guidance

Discovery Phase (Round 1) Facilitation

Initial Symptoms to Present:

• “Web servers across the internet showing signs of compromise”
• “Massive increase in scanning activity targeting IIS vulnerabilities”
• “Reports of web defacements with ‘HELLO! Welcome to http://www.worm.com! Hacked By Chinese!’”
• “Network monitoring detecting coordinated scanning from multiple sources”

IM Question Progression:

1. “How could a single vulnerability affect web servers worldwide simultaneously?”
2. “What would cause infected systems to coordinate their attacks?”
3. “How do you respond to threats targeting internet infrastructure rather than individual organizations?”
4. “What makes this different from targeted attacks on specific organizations?”

Expected Player Discovery Path:

• Detective: Analyzes web server logs and identifies buffer overflow exploitation
• Protector: Assesses web server compromise and infrastructure vulnerabilities
• Tracker: Maps internet-wide scanning and propagation patterns
• Communicator: Coordinates with internet service providers and security community
• Crisis Manager: Manages response to internet-scale infrastructure threat
• Threat Hunter: Investigates coordinated attack infrastructure and botnet behavior

Internet-Scale Revelation: Guide toward: “This isn’t targeting any specific organization - it’s attacking the entire internet infrastructure.”

Investigation Phase (Round 2) Facilitation

Infrastructure Scale Questions:

• “How do you investigate attacks affecting millions of systems worldwide?”
• “What coordination is needed when the threat affects global internet infrastructure?”
• “How do you assess impact when the attack targets foundational internet services?”

Coordinated Attack Analysis:

• “What does it mean when thousands of compromised systems coordinate their attacks?”
• “How do you defend against distributed attacks from compromised legitimate systems?”
• “What are the implications of turning internet infrastructure into attack platforms?”

Historical Context Exploration:

• “What does this attack teach us about internet security and vulnerability management?”
• “How did this change how organizations think about web server security?”
• “What lessons from Code Red still apply to modern internet security?”

Response Phase (Round 3) Facilitation

Global Coordination Response:

• “How do you coordinate response when attacks affect global internet infrastructure?”
• “What role do internet service providers play in responding to infrastructure threats?”
• “How do you balance individual organizational response with community-wide defense?”

Infrastructure Hardening:

• “What changes to internet architecture would prevent similar future attacks?”
• “How do you implement vulnerability management at internet scale?”
• “What role should vendors play in preventing widespread infrastructure compromise?”

Advanced Facilitation Techniques

Internet Infrastructure Security

Scale and Coordination Concepts:

• Help teams understand how internet-scale attacks differ from targeted threats
• Guide discussion of shared responsibility for internet infrastructure security
• Explore the challenges of coordinating response across organizational boundaries

Historical Learning:

• Connect Code Red lessons to modern infrastructure security challenges
• Discuss how early internet attacks shaped current security practices
• Explore the evolution from individual system attacks to infrastructure targeting

Collective Defense

Community Response:

• Guide discussion of how security communities coordinate during internet-wide threats
• Explore the role of information sharing and collective intelligence
• Discuss the balance between competitive business interests and shared security

Infrastructure Resilience:

• Help teams understand how internet architecture can be hardened against attacks
• Guide discussion of defense in depth for critical internet services
• Explore the role of redundancy and distributed architecture in resilience

Real-World Learning Connections

Internet Infrastructure Security

• Web server hardening and security configuration management
• Vulnerability management for internet-facing services
• Distributed denial of service attack prevention and mitigation
• Internet service provider security responsibilities and coordination

Coordinated Threat Response

• Information sharing and analysis centers (ISACs) and community response
• Government and industry coordination during infrastructure attacks
• International cooperation for internet security incidents
• Public-private partnership in critical infrastructure protection

Historical Cybersecurity Evolution

• How early internet attacks shaped modern security practices
• The evolution from individual system threats to infrastructure targeting
• Lessons learned from major historical cybersecurity incidents
• The development of coordinated cybersecurity response capabilities

Assessment and Learning Objectives

Success Indicators

Team Successfully:

• Understands Code Red as internet infrastructure threat rather than targeted attack
• Recognizes coordinated attack capabilities and botnet-like behavior
• Develops response strategies requiring global coordination and information sharing
• Demonstrates understanding of shared responsibility for internet security
• Connects historical lessons to modern infrastructure security challenges

Learning Assessment Questions

• “How do internet-scale attacks change incident response priorities and methods?”
• “What coordination mechanisms are needed for infrastructure-wide security threats?”
• “How do lessons from Code Red apply to modern internet security challenges?”
• “What role should organizations play in collective internet security defense?”

Community Contributions and Extensions

Advanced Scenarios

• Modern Infrastructure Worm: Updated Code Red targeting cloud infrastructure
• IoT Botnet Campaign: Internet-scale compromise of Internet of Things devices
• Supply Chain Infrastructure: Attacks targeting software distribution infrastructure
• Critical Infrastructure Coordination: Government and industry response to infrastructure attacks

Strategic Applications

• Infrastructure Security Assessment: Using Code Red lessons to evaluate organizational internet-facing services
• Community Response Planning: Developing capabilities for coordinated security response
• Vulnerability Management Strategy: Implementing comprehensive patch management for internet services
• Collective Defense Participation: Building relationships with security community and information sharing organizations

Code Red represents the emergence of internet-scale coordinated attacks, teaching crucial lessons about shared responsibility for internet infrastructure security and the need for community-wide coordinated defense against infrastructure threats.

🕰️ Stuxnet: The Digital Weapon

Malmon Profile

Classification: 🕰️ Legacy APT/Rootkit ⭐⭐⭐ (Legendary)
Discovery Credit: Symantec Security Response, 2010
First Documented: June 2010 (active since 2007)
Threat Level: Legendary (Nation-state cyber weapon)

Malmon Card Reference

LEGENDARY

Stuxnet

APT/Industrial

⭐⭐⭐

Stuxnet, a sophisticated computer worm, was discovered in 2010. It targeted industrial control systems, specifically SCADA systems. It notably disrupted Iran's nuclear program, causing physical damage to uranium enrichment infrastructure. Believed to be developed by a nation-state, Stuxnet marked a significant evolution in cybersecurity warfare.

🔥

Air Gap Jumping

Spreads via USB devices to breach isolated industrial networks

⚡

Industrial Sabotage

Targets SCADA systems and centrifuge operations with precision manipulation

🔮

Zero-Day Arsenal

Employs four previously unknown Windows vulnerabilities in coordinated attack

⬆️

Global Infrastructure Targeting

Expands beyond initial targets to threaten critical infrastructure worldwide

💎

Signature Detection

Once discovered, signatures can prevent further spread

🔍9

🔒10

📡7

💣10

🥷10

Discovered By:Security Researchers

Habitat:Industrial control systems, air-gapped networks

Property Icons:

🔍Detection

🔒Persistence

📡Spread

💣Payload

🥷Evasion

Technical Characteristics

MITRE ATT&CK Mapping

• Initial Access: T1091 (Replication Through Removable Media)
• Privilege Escalation: T1068 (Exploitation for Privilege Escalation)
• Command and Control: T1105 (Ingress Tool Transfer)

Detailed ATT&CK Analysis

🎯 MITRE ATT&CK Technique Analysis

Technique	Tactic	Description	Mitigation	Detection
T1091 Replication Through Removable Media	Initial Access	Spreads via infected USB drives to breach air-gapped networks	USB controls, device management, network segmentation	USB monitoring, removable media scanning, network analysis
T1105 Ingress Tool Transfer	Command and Control	Downloads additional tools and updates for sustained operations	Network monitoring, application control, traffic analysis	Download monitoring, C2 detection, file analysis
T1068 Exploitation for Privilege Escalation	Privilege Escalation	Uses multiple zero-day exploits for system-level access	Patch management, privilege controls, system hardening	Exploit detection, privilege monitoring, behavioral analysis

IM Facilitation Notes:

• Use these techniques to guide player investigation questions
• Help players connect evidence to specific ATT&CK techniques
• Highlight type effectiveness relationships in responses
• Encourage discussion of real-world mitigation strategies

Core Capabilities

Zero-Day Arsenal:

• Exploited four different zero-day vulnerabilities simultaneously
• Included Windows kernel exploits and printer spooler vulnerabilities
• Represented unprecedented investment in exploit development
• +4 bonus against all standard detection and prevention systems

Air-Gap Jumping:

• Spreads via USB drives and removable media
• Can cross network segmentation and isolated systems
• Targets specific industrial control systems (Siemens PLCs)
• +3 bonus against network isolation and segmentation defenses

Physical World Impact (Hidden Ability):

• Specifically targets uranium enrichment centrifuges
• Causes physical damage to industrial equipment
• Bridges gap between cyber operations and kinetic effects
• Triggers evolution to broader critical infrastructure targeting

Type Effectiveness Against Stuxnet

Understanding which security controls work best against legendary APT/Rootkit threats like Stuxnet:

Trojan

Weak to: Detection

Resists: Training

Worm

Weak to: Isolation

Resists: Backup

Ransomware

Weak to: Backup

Resists: Encryption

Rootkit

Weak to: Forensics

Resists: Detection

APT

Weak to: Intelligence

Phishing

Weak to: Training

Botnet

Weak to: Coordination

Infostealer

Weak to: Encryption

Key Strategic Insights for IMs:

• Most Effective: Threat Intelligence (attribution analysis), Behavioral Analysis (detecting sophisticated techniques), Air-gap Controls (when properly implemented)
• Moderately Effective: Forensic Analysis (for post-incident understanding), Zero Trust Architecture
• Least Effective: Signature Detection (zero-day exploits), Standard Network Controls (USB propagation), User Education (targets industrial systems)

Legendary Threat Considerations:
This represents nation-state capabilities - emphasize strategic thinking, attribution complexity, and policy implications over standard technical response.

Vulnerabilities

Highly Specific Targeting:

• Only activates on very specific industrial control configurations
• Requires exact combination of software and hardware
• -2 penalty when deployed outside intended target environment

Attribution Evidence:

• Sophisticated code leaves forensic artifacts pointing to state sponsorship
• Vulnerable to comprehensive forensic analysis and reverse engineering
• Can be attributed through code analysis, infrastructure, and geopolitical context

Facilitation Guide

Pre-Session Preparation

Choose Stuxnet When:

• Expert teams ready for nation-state level complexity
• Critical infrastructure protection is the learning focus
• Attribution and geopolitical analysis concepts should be explored
• Physical/cyber convergence needs demonstration
• Advanced persistent threat tactics require illustration

Avoid Stuxnet When:

• Novice or intermediate teams who haven’t mastered basic incident response
• Standard enterprise environments where industrial control systems aren’t relevant
• Time-limited sessions where complexity prevents adequate exploration

Session Structure Guidance

Discovery Phase (Round 1) Facilitation

Initial Symptoms to Present:

• “Industrial control systems showing unusual behavior patterns”
• “Centrifuge equipment experiencing unexplained mechanical failures”
• “Network monitoring detecting USB-based malware propagation”
• “Systems with no internet connection showing signs of compromise”

IM Question Progression:

1. “How could isolated systems become infected without network access?”
2. “What would cause both cyber intrusion AND physical equipment failure?”
3. “What kind of threat actor has resources for this level of sophistication?”
4. “How do you investigate when the attack targets physical processes?”

Expected Player Discovery Path:

• Detective: Discovers sophisticated malware with multiple zero-day exploits
• Protector: Identifies compromise of air-gapped critical systems
• Tracker: Maps USB-based propagation across isolated networks
• Communicator: Assesses national security and geopolitical implications
• Crisis Manager: Coordinates response across cyber and physical domains
• Threat Hunter: Develops attribution analysis pointing to nation-state actors

Nation-State Revelation: Guide toward: “This level of sophistication, targeting, and resources suggests state-sponsored cyber operations.”

Investigation Phase (Round 2) Facilitation

Attribution and Geopolitical Questions:

• “What evidence points to specific nation-state involvement?”
• “How do you investigate when the threat actor is another government?”
• “What are the implications of cyber weapons targeting critical infrastructure?”

Physical/Cyber Convergence:

• “How do you assess damage when the attack affects both digital and physical systems?”
• “What expertise do you need beyond traditional cybersecurity?”
• “How do you coordinate with industrial engineers and safety systems?”

Strategic Implications:

• “What does this attack mean for international relations and warfare?”
• “How do you respond to state-sponsored attacks on critical infrastructure?”

Response Phase (Round 3) Facilitation

Multi-Domain Response:

• “How do you coordinate cybersecurity, physical security, and diplomatic responses?”
• “What information do you share with government agencies and international partners?”
• “How do you balance public disclosure with national security concerns?”

Long-Term Strategy:

• “What changes are needed to protect critical infrastructure from future state-sponsored attacks?”
• “How do you prepare for escalation in state-sponsored cyber operations?”

Advanced Facilitation Techniques

Managing Nation-State Complexity

Attribution Discussion:

• Guide teams through technical attribution (code analysis, infrastructure)
• Explore geopolitical attribution (motivation, capability, opportunity)
• Discuss intelligence community analysis and assessment confidence levels

Policy and Strategy Integration:

• Include discussion of cyber deterrence and international law
• Explore defensive strategies for critical infrastructure protection
• Address coordination between private sector and government agencies

Multi-Stakeholder Coordination:

• Simulate involvement of intelligence agencies, policy makers, and international partners
• Include coordination with industrial control system vendors and operators
• Address media management and public communication strategies

Real-World Learning Connections

Critical Infrastructure Security:

• Physical/cyber convergence in industrial control systems
• Safety system integration and fail-safe mechanisms
• Supply chain security for industrial control components

Nation-State Threat Analysis:

• Understanding state-sponsored threat actor capabilities and motivations
• Attribution methodologies and confidence assessment
• Intelligence analysis and strategic threat assessment

International Cooperation:

• Diplomatic responses to state-sponsored cyber attacks
• International law and norms in cyberspace
• Public-private partnership in critical infrastructure protection

Strategic Defense Planning:

• Deterrence strategies for nation-state cyber threats
• Critical infrastructure protection and resilience planning
• Integration of cyber defense with national security strategy

Assessment and Learning Objectives

Success Indicators

Team Successfully:

• Recognizes nation-state level sophistication and resources
• Understands physical/cyber convergence in critical infrastructure
• Demonstrates attribution analysis using multiple evidence sources
• Coordinates response across cyber, physical, and policy domains
• Addresses strategic implications beyond tactical incident response

Expert-Level Indicators:

• Discusses deterrence theory and international relations implications
• Explores supply chain security and vendor coordination strategies
• Considers long-term strategic responses to state-sponsored threats
• Demonstrates understanding of intelligence community assessment methods

Post-Session Reflection Questions

• “How does state sponsorship change incident response priorities and methods?”
• “What are the challenges and opportunities in attributing nation-state attacks?”
• “How should organizations coordinate with government agencies during strategic threats?”
• “What does Stuxnet teach us about the future of warfare and international conflict?”

Community Contributions and Extensions

Advanced Scenarios

• Stuxnet Variants: Other nation-state attacks on critical infrastructure
• Attribution Investigation: Following intelligence leads across multiple countries
• Defensive Strategy: Developing comprehensive critical infrastructure protection
• Policy Response: Creating international agreements on cyber weapon limitations

Strategic Applications

• Critical Infrastructure Assessment: Using Stuxnet lessons to evaluate organizational vulnerabilities
• Threat Modeling: Incorporating nation-state threat actors into risk assessments
• Strategic Planning: Developing enterprise strategies for state-sponsored threats
• Government Coordination: Building relationships with relevant government agencies

Stuxnet represents the emergence of cyber weapons as instruments of statecraft, teaching crucial lessons about the convergence of cybersecurity, national security, and international relations in the digital age.

🕰️ Gh0st RAT: The Remote Control Specialist

Malmon Profile

Classification: 🕰️ Legacy APT/Infostealer ⭐⭐⭐
Discovery Credit: Chinese APT research, 2008
First Documented: 2008
Threat Level: Advanced (Nation-state and criminal dual-use)

Malmon Card Reference

LEGACY

Gh0st RAT

RAT/Remote Access

⭐⭐

Gh0st RAT is a remote access trojan that has been widely used for cyber espionage. Written in C++, it grants attackers complete control over an infected system. This stealthy malware is known for its ability to operate silently, evading detection by blending in with normal network traffic and processes. Gh0st RAT is equipped with powerful capabilities, including keylogging, screen capturing, webcam control, and file manipulation.

🔥

Remote Control

Complete system access with keylogging, screen capture, and file manipulation

⚡

Stealth Communications

Encrypted command and control channels with traffic obfuscation

🔮

Botnet Coordination

Can coordinate with other infected systems for distributed operations

⬆️

Advanced Espionage Network

Develops sophisticated multi-system coordination and data exfiltration

💎

Network Monitoring

Command and control traffic patterns detectable by network analysis

🔍5

🔒8

📡6

💣8

🥷7

Discovered By:Security Researchers

Habitat:Windows systems, targeted organizations

Property Icons:

🔍Detection

🔒Persistence

📡Spread

💣Payload

🥷Evasion

Technical Characteristics

MITRE ATT&CK Mapping

• Initial Access: T1566.001 (Spearphishing Attachment), T1190 (Exploit Public-Facing Application)
• Execution: T1204.002 (Malicious File), T1059.003 (Windows Command Shell)
• Persistence: T1547.001 (Registry Run Keys), T1053.005 (Scheduled Task)
• Privilege Escalation: T1134 (Access Token Manipulation)
• Defense Evasion: T1055 (Process Injection), T1027 (Obfuscated Files)
• Credential Access: T1555 (Credentials from Password Stores), T1056.001 (Keylogging)
• Discovery: T1057 (Process Discovery), T1083 (File and Directory Discovery)
• Collection: T1005 (Data from Local System), T1025 (Data from Removable Media)
• Command and Control: T1071.001 (Application Layer Protocol), T1132.001 (Standard Encoding)
• Exfiltration: T1041 (Exfiltration Over C2 Channel)

Core Capabilities

Complete Remote Control:

• Full desktop access and system manipulation capabilities
• Real-time screen capture and keystroke logging
• File system browse, upload, and download functionality
• +3 bonus to comprehensive system compromise and data collection

Modular Plugin Architecture:

• Extensible framework allowing custom capability deployment
• Can load additional modules for specific target requirements
• Adapts functionality based on target environment and objectives
• +2 bonus to target-specific exploitation and persistence

Command Center Integration (Hidden Ability):

• Coordinates with other Gh0st RAT instances for large-scale operations
• Supports centralized management of multiple compromised systems
• Enables sophisticated multi-target campaigns and data aggregation
• Triggers evolution to coordinated APT-level operations

Type Effectiveness Against Gh0st RAT

Understanding which security controls work best against advanced APT/Infostealer threats like Gh0st RAT:

Trojan

Weak to: Detection

Resists: Training

Worm

Weak to: Isolation

Resists: Backup

Ransomware

Weak to: Backup

Resists: Encryption

Rootkit

Weak to: Forensics

Resists: Detection

APT

Weak to: Intelligence

Phishing

Weak to: Training

Botnet

Weak to: Coordination

Infostealer

Weak to: Encryption

Key Strategic Insights for IMs:

• Most Effective: Network Monitoring (distinctive C2 patterns), Behavioral Analysis (remote control detection), Threat Intelligence (nation-state IOCs)
• Moderately Effective: System Monitoring (user interface anomalies), Access Controls (privilege limitation), Forensic Analysis (campaign reconstruction)
• Least Effective: User Education (post-compromise focus), Signature Detection (constantly evolving), Air-gap Controls (multi-vector infection)

Advanced RAT Considerations:
This represents nation-state and sophisticated criminal capabilities - emphasize coordinated response, attribution analysis, and assumption of multi-system compromise.

Vulnerabilities

Network Signature Detection:

• Distinctive network communication patterns identifiable by monitoring
• Command and control protocols have recognizable characteristics
• -2 penalty when advanced network monitoring is deployed

Behavioral Analysis Exposure:

• Remote control activities create obvious behavioral anomalies
• User interface manipulation detectable through system monitoring
• Vulnerable to runtime behavioral analysis and user activity monitoring

Facilitation Guide

Pre-Session Preparation

Choose Gh0st RAT When:

• Advanced teams ready for sophisticated remote access threats
• APT tactics and long-term compromise concepts should be demonstrated
• Multi-stage attacks and persistence need emphasis
• Attribution and threat actor analysis is a learning objective
• Coordinated response to sophisticated threats should be practiced

Avoid Gh0st RAT When:

• Novice teams who haven’t mastered basic malware response
• Single-session scenarios where long-term persistence isn’t relevant
• Purely technical focus where geopolitical context isn’t appropriate

Session Structure Guidance

Discovery Phase (Round 1) Facilitation

Initial Symptoms to Present:

• “Users reporting computers operating independently with mouse and keyboard activity”
• “Unusual network traffic to servers in foreign countries during off-hours”
• “Files being accessed and copied without user knowledge”
• “Screenshots and documents appearing on desktop without user action”

IM Question Progression:

1. “What would cause computers to operate without user input?”
2. “How might someone gain complete control over remote systems?”
3. “What capabilities would an attacker want for long-term access?”
4. “What does foreign network communication suggest about threat actor motivation?”

Expected Player Discovery Path:

• Detective: Analyzes evidence of remote control and data access
• Protector: Identifies comprehensive system compromise and unauthorized access
• Tracker: Maps command and control communications to foreign infrastructure
• Communicator: Assesses implications of complete system compromise for business operations
• Crisis Manager: Coordinates response to sophisticated, ongoing threat
• Threat Hunter: Investigates attribution indicators and campaign connections

Remote Access Revelation: Guide toward: “This appears to be a remote access trojan giving attackers complete control over compromised systems.”

Investigation Phase (Round 2) Facilitation

Scope and Attribution Questions:

• “How do you assess the full extent of compromise when attackers have complete system access?”
• “What evidence helps determine whether this is criminal or nation-state activity?”
• “How long might attackers have had access before detection?”

Capability Assessment:

• “What could attackers accomplish with complete remote control?”
• “How do you investigate when attackers can see your investigation activities?”
• “What data and systems are most at risk from this level of access?”

Campaign Analysis:

• “What does the sophistication suggest about attacker resources and motivation?”
• “How might this connect to broader threat actor campaigns?”
• “What geopolitical factors might influence this attack?”

Response Phase (Round 3) Facilitation

Sophisticated Threat Response:

• “How do you respond to threats when attackers can monitor your response?”
• “What coordination is needed for sophisticated, potentially nation-state threats?”
• “How do you balance immediate containment with forensic preservation?”

Long-term Security Strategy:

• “What fundamental changes are needed to prevent future sophisticated access?”
• “How do you rebuild security when attackers had comprehensive access?”
• “What ongoing monitoring is needed after sophisticated compromise?”

Advanced Facilitation Techniques

Attribution and Geopolitical Context

Nation-State vs. Criminal Analysis:

• Guide discussion of threat actor motivation assessment
• Explore indicators that suggest state sponsorship vs. criminal activity
• Help teams understand attribution methodologies and confidence levels

Intelligence Integration:

• Discuss how threat intelligence supports attribution and response
• Explore coordination with government agencies and industry partners
• Address information sharing and operational security considerations

Advanced Persistent Threat Concepts

Long-term Compromise Management:

• Help teams understand the challenges of sophisticated, patient attackers
• Guide discussion of detection strategies for subtle, long-term access
• Explore the balance between monitoring and immediate containment

Campaign-level Thinking:

• Discuss how individual incidents connect to broader threat actor campaigns
• Explore strategic threat assessment and organizational risk evaluation
• Guide development of long-term defense strategies against sophisticated threats

Real-World Learning Connections

Advanced Threat Detection

• Behavioral analysis and anomaly detection for remote access activities
• Network monitoring and analysis for command and control communications
• User activity monitoring and endpoint detection capabilities
• Threat hunting methodologies for sophisticated threats

Attribution and Intelligence

• Technical attribution through malware analysis and infrastructure investigation
• Strategic attribution through motivation and capability assessment
• Threat intelligence collection, analysis, and sharing
• Coordination with government agencies and industry partners

APT Response and Recovery

• Incident response strategies for sophisticated, long-term compromise
• Forensic preservation and analysis in contested environments
• Security architecture redesign after advanced compromise
• Long-term monitoring and threat hunting after sophisticated incidents

Assessment and Learning Objectives

Success Indicators

Team Successfully:

• Recognizes sophisticated remote access capabilities and implications
• Understands attribution concepts and nation-state threat characteristics
• Develops response strategies appropriate for advanced persistent threats
• Demonstrates understanding of long-term compromise and recovery challenges
• Addresses strategic security improvements needed after sophisticated attacks

Advanced Learning Indicators

• Discusses geopolitical context and threat actor motivation
• Explores coordination with government agencies and international partners
• Considers strategic threat assessment and organizational risk evaluation
• Demonstrates understanding of advanced threat detection and hunting methodologies

Community Contributions and Extensions

Advanced Scenarios

• Multi-Target Campaign: Coordinated attacks across multiple organizations
• Supply Chain Compromise: Gh0st RAT delivered through compromised software
• Insider Coordination: RAT used in conjunction with insider threat
• Critical Infrastructure: Targeting of industrial control systems and critical services

Strategic Applications

• Threat Intelligence Development: Using Gh0st RAT indicators for broader campaign analysis
• Attribution Methodology: Developing technical and strategic attribution capabilities
• Advanced Detection: Implementing behavioral analysis and threat hunting for sophisticated threats
• International Cooperation: Building relationships for coordinated response to nation-state threats

Gh0st RAT represents the convergence of sophisticated technical capabilities with strategic threat actor objectives, teaching crucial lessons about advanced persistent threats, attribution, and coordinated response to nation-state level cybersecurity challenges.

🕰️ PoisonIvy: The Classic Remote Control

Malmon Profile

Classification: 🕰️ Legacy APT/Infostealer ⭐⭐
Discovery Credit: Security researchers, 2005
First Documented: 2005
Threat Level: Intermediate (Classic RAT with modern variants)

Malmon Card Reference

LEGACY

PoisonIvy

RAT/Espionage

⭐⭐

PoisonIvy is a notorious remote access trojan (RAT) used in cyber espionage since the mid-2000s. It allows attackers to control infected machines remotely—capturing keystrokes, stealing data, and spying via webcam or screen. Lightweight, stealthy, and highly customizable, PoisonIvy has been linked to several high-profile APT operations across the globe.

🔥

Classic Remote Access

Traditional RAT capabilities with file transfer, keylogging, and system control

⚡

Long-term Persistence

Designed for extended presence with minimal detection signatures

🔮

Campaign Coordination

Often used in conjunction with other tools in targeted attack campaigns

⬆️

Sophisticated Espionage Operation

Integrates with advanced persistent threat campaigns for intelligence gathering

💎

Behavioral Detection

Network communications and system behavior patterns reveal presence

🔍6

🔒9

📡5

💣7

🥷6

Discovered By:Security Community

Habitat:Corporate networks, government systems

Property Icons:

🔍Detection

🔒Persistence

📡Spread

💣Payload

🥷Evasion

Technical Characteristics

MITRE ATT&CK Mapping

• Initial Access: T1566.001 (Spearphishing Attachment), T1189 (Drive-by Compromise)
• Execution: T1204.002 (Malicious File)
• Persistence: T1547.001 (Registry Run Keys), T1053.005 (Scheduled Task)
• Privilege Escalation: T1134 (Access Token Manipulation)
• Defense Evasion: T1055 (Process Injection), T1027 (Obfuscated Files)
• Credential Access: T1056.001 (Keylogging), T1555 (Credentials from Password Stores)
• Discovery: T1057 (Process Discovery), T1082 (System Information Discovery)
• Collection: T1005 (Data from Local System), T1113 (Screen Capture)
• Command and Control: T1071.001 (Application Layer Protocol)
• Exfiltration: T1041 (Exfiltration Over C2 Channel)

Core Capabilities

Classic RAT Functionality:

• Complete remote desktop access and system control
• Keystroke logging and credential harvesting
• File system access, upload, and download capabilities
• +2 bonus to comprehensive system monitoring and data collection

Stealth and Persistence:

• Process injection and rootkit-like hiding capabilities
• Registry and file system persistence mechanisms
• Network communication obfuscation and encryption
• +2 bonus to long-term undetected presence

Modular Expansion (Hidden Ability):

• Plugin architecture allowing capability enhancement
• Can load additional modules for specific target requirements
• Supports custom tools and exploits for specialized objectives
• Triggers evolution to advanced persistent threat with custom toolsets

Type Effectiveness Against PoisonIvy

Understanding which security controls work best against classic APT/Infostealer threats like PoisonIvy:

Trojan

Weak to: Detection

Resists: Training

Worm

Weak to: Isolation

Resists: Backup

Ransomware

Weak to: Backup

Resists: Encryption

Rootkit

Weak to: Forensics

Resists: Detection

APT

Weak to: Intelligence

Phishing

Weak to: Training

Botnet

Weak to: Coordination

Infostealer

Weak to: Encryption

Key Strategic Insights for IMs:

• Most Effective: Behavioral Analysis (detects remote control activities), Network Monitoring (C2 communications), User Activity Monitoring (unusual system access)
• Moderately Effective: Signature Detection (well-known family), Threat Intelligence (established IOCs), Access Controls (limits privilege escalation)
• Least Effective: User Education (post-infection focus), Air-gap Controls (already inside network), Physical Security (software-based threat)

Classic RAT Considerations:
This represents traditional remote access trojans - emphasize behavioral detection, network monitoring, and the importance of assuming breach when investigating.

Vulnerabilities

Signature-Based Detection:

• Well-known malware family with extensive signature coverage
• Network communication patterns identifiable by modern monitoring
• -2 penalty against updated antivirus and network detection systems

User Activity Monitoring:

• Remote control activities create obvious behavioral anomalies
• File access and system manipulation detectable through endpoint monitoring
• Vulnerable to user activity analysis and behavioral detection systems

Facilitation Guide

Pre-Session Preparation

Choose PoisonIvy When:

• Intermediate teams learning about classic remote access threats
• Credential theft and data exfiltration concepts need demonstration
• Long-term persistence and stealth should be explored
• Evolution of threat techniques is a learning objective
• Detection strategy development for remote access threats

Avoid PoisonIvy When:

• Novice teams who need simpler, more straightforward threats
• Advanced teams seeking cutting-edge or sophisticated techniques
• Short sessions where persistence concepts can’t be fully explored

Session Structure Guidance

Discovery Phase (Round 1) Facilitation

Initial Symptoms to Present:

• “Users reporting occasional computer slowdowns and unusual network activity”
• “Passwords and credentials compromised despite no obvious phishing”
• “Files accessed and modified outside of normal business hours”
• “Network monitoring detecting encrypted communications to unknown servers”

IM Question Progression:

1. “What could cause credential theft without obvious phishing or malware?”
2. “How might someone access files during off-hours without physical presence?”
3. “What would create encrypted network traffic that bypasses normal monitoring?”
4. “What persistence mechanisms would allow long-term, undetected access?”

Expected Player Discovery Path:

• Detective: Analyzes evidence of unauthorized access and credential compromise
• Protector: Identifies signs of persistent, unauthorized system presence
• Tracker: Maps encrypted command and control communications
• Communicator: Investigates user reports of unusual system behavior
• Crisis Manager: Coordinates investigation of suspected long-term compromise
• Threat Hunter: Searches for advanced persistence and stealth indicators

Remote Access Discovery: Guide toward: “This appears to be a remote access trojan that’s been operating undetected for an extended period.”

Investigation Phase (Round 2) Facilitation

Long-term Compromise Assessment:

• “How do you investigate when attackers may have had access for months or years?”
• “What data and credentials should you assume have been compromised?”
• “How do you determine the full scope of a long-term persistent threat?”

Stealth Technique Analysis:

• “What techniques allow malware to remain undetected for extended periods?”
• “How do you investigate threats that actively hide their presence?”
• “What indicators reveal long-term compromise despite stealth measures?”

Data and Credential Impact:

• “What sensitive information might have been accessed during long-term presence?”
• “How do you assess credential compromise when keylogging was possible?”
• “What business processes might have been observed or influenced?”

Response Phase (Round 3) Facilitation

Persistent Threat Response:

• “How do you ensure complete removal of threats designed for long-term persistence?”
• “What credential and system changes are needed after long-term compromise?”
• “How do you rebuild trust in systems after extended unauthorized access?”

Detection Enhancement:

• “What monitoring improvements would detect similar threats earlier?”
• “How do you balance user privacy with the monitoring needed to detect RATs?”
• “What combination of technical and procedural controls prevents future long-term compromise?”

Advanced Facilitation Techniques

Historical Context and Evolution

Classic vs. Modern RATs:

• Help teams understand how remote access threats have evolved
• Guide discussion of persistent techniques and detection improvements
• Explore how older threats inform modern security strategies

Threat Landscape Development:

• Discuss how PoisonIvy represents early sophisticated threats
• Explore lessons learned from classic RAT families
• Guide understanding of threat evolution and defensive adaptation

Long-term Compromise Management

Persistence Analysis:

• Help teams understand sophisticated persistence mechanisms
• Guide discussion of stealth techniques and detection evasion
• Explore the challenges of detecting patient, careful attackers

Comprehensive Response Planning:

• Discuss the complexity of responding to long-term compromise
• Explore credential management and system trust rebuilding
• Guide development of comprehensive recovery strategies

Real-World Learning Connections

Remote Access Threat Detection

• Behavioral analysis and anomaly detection for remote access activities
• Network monitoring and encrypted communication analysis
• Endpoint detection and response for persistent threats
• User activity monitoring and access pattern analysis

Credential Security Management

• Credential theft detection and response procedures
• Password and authentication security enhancement
• Privileged access management and monitoring
• Multi-factor authentication and access controls

Long-term Compromise Recovery

• Incident response for extended unauthorized access
• System and credential trust rebuilding procedures
• Forensic analysis for long-term compromise assessment
• Business continuity during comprehensive security rebuilding

Assessment and Learning Objectives

Success Indicators

Team Successfully:

• Recognizes remote access trojan capabilities and long-term persistence
• Understands credential theft and data exfiltration implications
• Develops response strategies for extended compromise scenarios
• Demonstrates understanding of stealth techniques and detection challenges
• Addresses comprehensive recovery needs after long-term unauthorized access

Learning Assessment Questions

• “How does long-term persistence change incident response priorities?”
• “What detection strategies effectively identify stealthy remote access threats?”
• “How do you rebuild system and credential trust after extended compromise?”
• “What monitoring improvements balance security with user privacy concerns?”

Community Contributions and Extensions

Advanced Scenarios

• APT Campaign Integration: PoisonIvy as part of broader advanced persistent threat
• Supply Chain Delivery: RAT delivered through compromised software or hardware
• Insider Coordination: Remote access combined with insider threat activities
• Critical System Access: RAT targeting industrial control systems or critical infrastructure

Strategic Applications

• Historical Threat Analysis: Using classic RAT families to understand threat evolution
• Detection Strategy Development: Building comprehensive monitoring for remote access threats
• Incident Response Enhancement: Developing procedures for long-term compromise scenarios
• Security Architecture: Designing systems resistant to persistent remote access threats

PoisonIvy represents the classic remote access threat that has influenced decades of cybersecurity defense development, teaching fundamental lessons about persistence, stealth, and the ongoing challenge of detecting patient, sophisticated attackers who seek long-term access to target systems.