FakeBat Scenario: Freelancer Coworking Space

FakeBat Scenario: Freelancer Coworking Space

Nexus Cowork: Professional coworking space, 150 members, downtown tech district

Social Engineering • FakeBat

STAKES

Client projects + Freelancer livelihoods + Shared network security + Professional reputation

HOOK

Nexus Cowork is supporting independent professionals when the shared network experiences widespread browser issues and unexpected software installations. Freelancers report downloading ‘essential productivity tools’ and ‘collaboration software’ that appeared necessary for client work, but these were sophisticated software masquerading attacks targeting remote workers.

PRESSURE

• Multiple client deadlines Monday – network compromise threatens freelancer businesses and workspace reputation

FRONT • 120 minutes • Intermediate

Nexus Cowork: Professional coworking space, 150 members, downtown tech district

Social Engineering • FakeBat

NPCs

• Workspace Manager Jake Morrison: Operating coworking space with compromised shared systems affecting freelancer productivity
• Network Administrator Carlos Martinez: Investigating fake productivity software affecting multiple independent workers
• Community Manager Diana Foster: Reporting freelancer concerns about browser issues and unexpected software behavior
• Member Services Coordinator Robert Chen: Addressing impact on client work and professional services across diverse freelancers

SECRETS

• Freelancers installed convincing fake collaboration tools, project management software, and business productivity applications
• Malicious software is masquerading as essential freelancer tools while deploying trojans across shared workspace
• Browser modifications are affecting client communications and creating security risks for independent professional work

FakeBat Scenario: Freelancer Coworking Space

Hive Collective: Professional coworking space, 120 members, Shoreditch/tech district

Social Engineering • FakeBat

STAKES

Client projects + Freelancer livelihoods + Shared network security + Professional reputation

HOOK

Hive Collective is supporting independent professionals when the shared network experiences widespread browser issues and unexpected software installations. Freelancers report downloading ‘essential productivity tools’ and ‘collaboration software’ that appeared necessary for client work, but these were sophisticated software masquerading attacks targeting remote workers.

PRESSURE

• Multiple client deadlines Monday – network compromise threatens freelancer businesses and workspace reputation

FRONT • 120 minutes • Intermediate

Hive Collective: Professional coworking space, 120 members, Shoreditch/tech district

Social Engineering • FakeBat

NPCs

• Workspace Manager Harry Dawson: Operating coworking space with compromised shared systems affecting freelancer productivity
• Network Administrator Liam O’Sullivan: Investigating fake productivity software affecting multiple independent workers
• Community Manager Aisha Khan: Reporting freelancer concerns about browser issues and unexpected software behavior
• Member Services Coordinator Ben Griffiths: Addressing impact on client work and professional services across diverse freelancers

SECRETS

• Freelancers installed convincing fake collaboration tools, project management software, and business productivity applications
• Malicious software is masquerading as essential freelancer tools while deploying trojans across shared workspace
• Browser modifications are affecting client communications and creating security risks for independent professional work

Planning Resources

Tip📋 Comprehensive Facilitation Guide Available

For detailed session preparation support, including game configuration templates, investigation timelines, response options matrix, and round-by-round facilitation guidance, see:

FakeBat Freelancer Coworking Planning Document

Planning documents provide 30-minute structured preparation for first-time IMs, or quick-reference support for experienced facilitators.

Note🎬 Interactive Scenario Slides

Ready-to-present RevealJS slides with player-safe mode, session tracking, and IM facilitation notes:

FakeBat Freelancer Coworking Slides

Press ‘P’ to toggle player-safe mode • Built-in session state tracking • Dark/light theme support

Scenario Details for IMs

Hook

“It’s Friday afternoon at Nexus Cowork, and what should be focused work before Monday client deadlines has turned into a crisis. Multiple freelancers are reporting browser issues – redirects to unexpected productivity websites, persistent advertisements appearing during client video calls, and concerning system performance. Independent professionals mention installing ‘must-have collaboration tools’ and ‘essential project management software’ they discovered online to improve client deliverables. With dozens of freelancers facing Monday deadlines and shared network security at risk, investigate what’s happening before malware destroys both professional livelihoods and workspace trust.”

“It’s Friday afternoon at Hive Collective, and what should be focused work before Monday client deadlines has turned into a crisis. Multiple freelancers are reporting browser issues – redirects to unexpected productivity websites, persistent advertisements appearing during client video calls, and concerning system performance. Independent professionals mention installing ‘must-have collaboration tools’ and ‘essential project management software’ they discovered online to improve client deliverables. With dozens of freelancers facing Monday deadlines and shared network security at risk, investigate what’s happening before malware destroys both professional livelihoods and workspace trust.”

Initial Symptoms to Present:

Warning🚨 Initial User Reports

• “Freelancer workstations showing degraded performance since yesterday”
• “Browsers redirecting to unexpected business productivity websites”
• “Persistent pop-up advertisements appearing during client video conferences”
• “Multiple reports of installing ‘collaboration enhancers’ and ‘project management tools’”
• “Help desk reports 7 calls about browser homepage changes to productivity portals”

Key Discovery Paths:

Detective Investigation Leads:

Note🔍 Detective Investigation Path

• Software logs show ‘FreelancerPro_Suite.exe and CollabSync_Manager.exe’ installed on 30+ coworking workstations
• Process monitoring reveals unfamiliar executables running from temp directories across multiple freelancer systems
• Browser history shows visits to ‘freelance-productivity-pro.com and remote-work-tools-official.com’
• Registry analysis shows unauthorized browser extensions and productivity overlay modifications

Note🔍 Detective Investigation Path

• Software logs show ‘FreelancerPro_Suite.exe and CollabSync_Manager.exe’ installed on 25+ coworking workstations
• Process monitoring reveals unfamiliar executables running from temp directories across multiple freelancer systems
• Browser history shows visits to ‘freelance-productivity-pro.co.uk and remote-work-tools-official.co.uk’
• Registry analysis shows unauthorized browser extensions and productivity overlay modifications

Protector System Analysis:

Note🛡️ Protector System Analysis

• Memory scans reveal browser hijacking processes across freelancer workstations on shared network
• System performance metrics show hidden processes consuming resources during client work
• Browser security analysis reveals freelancer-themed extensions with client data access permissions
• Digital signature verification shows ‘productivity tools’ lack valid publisher signatures

Tracker Network Investigation:

Note🌐 Tracker Network Investigation

• DNS logs show queries to recently registered freelance and remote work tool domains
• Network traffic analysis reveals connections to advertising and malware distribution servers
• Browser traffic shows redirected professional searches and injected productivity advertisements
• Shared network shows unusual connection patterns from compromised freelancer workstations

Communicator Stakeholder Interviews:

Note🗣️ Communicator Stakeholder Interviews

• Freelancers report finding ‘essential business tools’ through professional networking groups and productivity forums
• Workspace manager expressing concern about shared network security with compromised systems
• Network administrator reveals coworking policy allows freelancers to install business software
• Community manager describes how freelancers installed tools seeking competitive advantage for client work

Mid-Scenario Pressure Points:

• Hour 2: Multiple freelancers report urgent client deadlines Monday – requires functional systems for deliverable completion
• Hour 3: Workspace members questioning network security and considering alternative coworking locations
• Hour 4: Client of affected freelancer calls workspace directly expressing concern about data security

Evolution Triggers:

• If containment takes longer than 4 hours, FakeBat begins targeting client communication channels
• If browser security isn’t addressed, malware spreads to additional freelancers using shared resources
• If fake software source isn’t identified, new coworking members may encounter same threats

Resolution Pathways:

Technical Success Indicators:

• Team identifies FakeBat through freelancer-focused software verification and multi-workstation behavior analysis
• Shared network security policies prevent future freelancer-initiated malicious software installations
• Browser and client communication isolation protects professional data and business relationships

Business Success Indicators:

• Freelancer productivity restored with minimal impact on Monday client deadlines
• Workspace reputation maintained through transparent communication and security demonstration
• Coworking operations continue while systematically cleaning and securing shared systems

Learning Success Indicators:

• Team understands how freelancer-focused software masquerading exploits professional productivity desires
• Participants recognize challenges of securing shared workspace environments with diverse users
• Group demonstrates balance between freelancer autonomy and network security in coworking spaces

Common IM Facilitation Challenges:

If Team Focuses Too Heavily on Technical Details:

“That’s excellent analysis of the shared network infection pattern. How does this information help you communicate the security status to the freelancers who have client deadlines Monday?”

If Business Stakeholders Are Ignored:

“While you’re investigating the malware, the workspace manager just received a call from a long-term member considering leaving due to security concerns. How do you handle this?”

If Software Masquerading Aspect Is Missed:

“The technical indicators are clear, but why did freelancers trust these particular productivity tools and install them seeking business advantage?”

Success Metrics for Session:

• Team identifies freelancer-focused software masquerading and professional behavior exploitation
• Shared workspace security challenges addressed without destroying business autonomy
• Client data protection balanced with freelancer system flexibility requirements
• Response strategy addresses immediate threat while establishing coworking security policies
• Learning includes shared workspace security and independent professional protection principles

Template Compatibility

Quick Demo (35-40 min)

• Rounds: 1
• Actions per Player: 1
• Investigation: Guided
• Response: Pre-defined
• Focus: Use the “Hook” and “Initial Symptoms” to quickly establish coworking crisis. Present the “Guided Investigation Clues” at 5-minute intervals. Offer the “Pre-Defined Response Options” for the team to choose from. Quick debrief should focus on recognizing freelancer-targeted fake software and shared workspace security risks.

Lunch & Learn (75-90 min)

• Rounds: 2
• Actions per Player: 2
• Investigation: Guided
• Response: Pre-defined
• Focus: This template allows for deeper exploration of shared workspace security challenges. Use the full set of NPCs to create realistic coworking environment pressures. The two rounds allow FakeBat to progress toward client communications, escalating stakes. Debrief can explore balance between freelancer autonomy and security controls in shared professional spaces.

Full Game (120-140 min)

• Rounds: 3
• Actions per Player: 2
• Investigation: Open
• Response: Creative
• Focus: Players have freedom to investigate using the “Key Discovery Paths” as IM guidance. They must develop response strategies balancing shared network security, freelancer business needs, workspace operations, and professional trust. The three rounds allow for full narrative arc including villain’s coworking-specific multi-stage attack plan.

Advanced Challenge (150-170 min)

• Rounds: 3
• Actions per Player: 2
• Investigation: Open
• Response: Creative
• Complexity: Add red herrings (e.g., legitimate freelance tool updates causing unrelated performance issues). Make containment ambiguous, requiring players to justify business-facing decisions with incomplete information. Remove access to reference materials to test knowledge recall of shared workspace security principles.

Quick Demo Materials (35-40 min)

Guided Investigation Clues

Clue 1 (Minute 5): “You discover that 30+ coworking workstations visited ‘freelance-productivity-pro.com and remote-work-tools-official.com’ over the past two days and downloaded ‘FreelancerPro_Suite.exe and CollabSync_Manager.exe’. Both domains were registered last week.”

Clue 2 (Minute 10): “Analyzing the downloaded files reveals they lack valid publisher digital signatures. Legitimate freelance productivity tools always have verified signatures from recognized business software publishers.”

Clue 3 (Minute 15): “You find new browser extensions installed across freelancer workstations: ‘Remote Work Optimizer and Client Collaboration Plus’. Both have permissions to access client communication data and are injecting business-related advertisements into legitimate professional websites.”

Pre-Defined Response Options

Option A: Workstation Cleaning & Shared Network Policies

• Action: Remove malware from affected freelancer systems, implement shared workspace security policies that balance autonomy with protection, verify network isolation.
• Pros: Completely removes threat and establishes secure coworking environment policies; protects client data across diverse users.
• Cons: Time-intensive workstation-by-workstation remediation; may temporarily limit freelancer software installation flexibility.
• Type Effectiveness: Super effective against Trojan type malmons like FakeBat in shared environments.

Option B: Browser Lockdown & User Education

• Action: Implement browser security policies for shared workspace, reset compromised browsers, provide freelancer education on software verification for business tools.
• Pros: Prevents persistent browser compromises in coworking environment; addresses human factor with targeted education.
• Cons: Doesn’t remove underlying malware that may redeploy during freelancer sessions.
• Type Effectiveness: Moderately effective against Browser Hijacker threats in shared workspaces.

Option C: Network Segmentation & Malicious Domain Blocking

• Action: Segment freelancer network traffic, add malicious domains to workspace firewall blocklist, implement DNS filtering for productivity software downloads.
• Pros: Protects shared infrastructure immediately; prevents additional freelancers from downloading fake business tools.
• Cons: Doesn’t remove already-installed malware from 30+ compromised freelancer workstations.
• Type Effectiveness: Partially effective against Downloader type malmons; protects infrastructure but not endpoints.

Lunch & Learn Materials (75-90 min, 2 rounds)

Round 1: Initial Detection & Coworking Response (35-40 minutes)

Opening Hook & Investigation Phase (Minutes 0-20)

It’s Friday afternoon at Nexus Cowork, and what should be focused pre-weekend client work has devolved into chaos. Jake Morrison, your workspace manager, looks stressed as he briefs you: ‘We have freelancers reporting browser problems across multiple desks. Some are saying their productivity tools are acting strange, others mention installing collaboration software yesterday. We have people with Monday client deliverables who can’t work reliably. Can you figure out what’s happening before this damages our reputation and people start canceling memberships?’

Time-Stamped Investigation Clues (Present every 3-5 minutes):

Minute 5 – Detective Discovery: “You examine workspace network logs and find something concerning: 30+ different freelancer workstations visited ‘freelance-productivity-pro.com and remote-work-tools-official.com’ over the past 48 hours. Both domains were registered just last week. Download logs show ‘FreelancerPro_Suite.exe and CollabSync_Manager.exe’ installations across multiple independent contractors.”

Minute 8 – Protector Analysis: “Running memory scans on several affected workstations reveals unfamiliar processes: ‘fpro_service.exe and collab_sync.exe’ running from temp directories. These processes are injecting code into browser sessions and have hooks into Chrome, Firefox, and Edge. Digital signature checks show both executables lack valid publisher certificates–legitimate business software always includes verified signatures.”

Minute 12 – Tracker Network Evidence: “DNS query logs reveal the compromised freelancer workstations are making regular connections to ‘cdn-freelance-tools[.]xyz and analytics-workspace-pro[.]net’–both registered to privacy-protected hosting in Eastern Europe. Network traffic analysis shows these aren’t analytics; they’re command-and-control callbacks happening every 15 minutes from 30+ independent systems.”

Minute 16 – Communicator Interviews: “You speak with affected freelancers. Diana Foster, community manager, shares: ‘Multiple members mentioned they found these tools through searches for remote work collaboration software. The websites looked professional–screenshots, testimonials, the whole package. One freelancer said they installed it because a client deadline was approaching and they needed better project management. Nobody suspected these were fake.’”

Minute 20 – Critical Discovery: “Browser analysis reveals the scope: affected workstations have extensions named ‘Remote Work Optimizer and Client Collaboration Plus’ installed without user knowledge. Both extensions have permissions to: read and change all your data on websites you visit, manage your downloads, and access your tabs. They’re actively injecting advertisements into legitimate freelancer research and redirecting professional searches to malicious sites.”

Response Decision Phase (Minutes 20-35)

Pressure Event (Minute 22): Jake Morrison (Workspace Manager) interrupts with urgency: “I just got off the phone with three long-term members asking if our network is secure. One mentioned they’re considering moving to the coworking space downtown because they can’t risk client data exposure. We need answers now–what do I tell people about their professional data and Monday deliverables?”

Available Response Options:

Option A: Immediate Workstation Quarantine & Staged Cleaning

• Isolate all 30+ affected freelancer workstations from shared network
• Begin systematic malware removal starting with client-deadline freelancers
• Implement temporary guest network for unaffected members
• Create workspace software verification policy before reconnection

Pros: Prevents further spread through shared workspace; prioritizes business-critical freelancers; establishes verification protocol Cons: Significant disruption to 30+ independent businesses; weekend cleaning required; member frustration likely Type Effectiveness: Super effective against Trojan-type spread in coworking environments

Option B: Browser Security Lockdown & Network Filtering

• Reset all affected browsers to default configurations
• Remove malicious extensions and browser modifications
• Implement workspace-wide DNS filtering blocking malicious domains
• Deploy browser security policies for shared workspace systems

Pros: Quick deployment minimizes freelancer downtime; protects client communication channels; prevents new infections Cons: Underlying malware may persist and redeploy; doesn’t address root compromise on 30+ systems Type Effectiveness: Moderately effective against browser hijacking; incomplete against full infection

Option C: Forensic Investigation & Professional Communication

• Document full scope for insurance and potential member notification
• Identify patient zero and infection timeline across freelancers
• Prepare detailed member communication about workspace security
• Engage external IR support for professional assessment

Pros: Comprehensive understanding of compromise; professional documentation; transparency builds trust Cons: Investigation extends member uncertainty; potential news spread hurts reputation; delayed remediation Type Effectiveness: No immediate technical containment; purely investigative approach

Round 1 Debrief Questions (Minutes 35-40)

1. Technical Understanding: “How did FakeBat leverage freelancer productivity desires to compromise 30+ independent systems? What made the fake productivity tools convincing?”

2. Shared Workspace Context: “What security challenges are unique to coworking spaces where independent contractors need autonomy but share network infrastructure?”

3. Stakeholder Balance: “How did you balance Jake Morrison’s need for member retention with Carlos Martinez’s recommendation for thorough system cleaning? What trade-offs did you consider?”

4. Response Effectiveness: “Which parts of your response addressed immediate member concerns versus long-term workspace security? Did you explain the difference clearly?”

Round 2: Containment & Coworking Trust (35-45 minutes)

Evolution Narrative (Minute 40)

IM Transition Based on Round 1 Choice:

If Option A (Workstation Quarantine) was chosen: “Your systematic cleaning approach is working, but it’s Saturday morning and you’re only through 12 of 30+ compromised workstations. Jake Morrison calls with concerning news: ‘Five members with Monday client deliverables are asking when they’ll have access again. One mentioned they might work from a coffee shop this weekend using their compromised laptop. Also, Robert Chen reports three prospective members toured yesterday, and two asked pointed questions about our recent security issues. How do we handle this?’”

If Option B (Browser Lockdown) was chosen: “Your browser security measures deployed quickly and members are back to work–but Carlos Martinez has troubling findings: ‘The browser fixes were surface-level. I’m still detecting ’fpro_service.exe’ running on 20+ workstations, and it’s attempting to reinstall the browser extensions every few hours. We blocked the C2 domains, but the malware is trying alternative communication methods. We need deeper remediation, but that means re-disrupting freelancers who think everything’s fixed.’”

If Option C (Investigation) was chosen: “Your forensic documentation is comprehensive, but it’s Saturday afternoon and Jake Morrison is receiving member cancellation emails. ‘Four freelancers notified us they’re not renewing next month, citing security concerns. Your investigation report is detailed, but members want to know what we’re DOING, not just what happened. We have compromised systems still operating in our workspace, and our reputation is deteriorating while we document.’”

Advanced Investigation Clues (Present every 4-5 minutes)

Minute 44 – Detective Depth: “Deeper analysis of ‘FreelancerPro_Suite.exe’ reveals it’s a loader–its job is delivering additional payloads. You find evidence of secondary infections: RedLine Stealer and Vidar Infostealer deployed to 8 workstations where freelancers had saved client passwords in browsers. Those freelancers’ client credentials may be compromised. This explains FakeBat’s pay-per-install business model–it monetizes by loading other malware families.”

Minute 49 – Protector Findings: “Memory forensics on heavily-infected systems shows credential theft in action. Browser password stores were accessed on workstations belonging to freelancers in web development, graphic design, and consulting. Client FTP credentials, WordPress logins, AWS console access–all potentially exfiltrated. This isn’t just workspace disruption; it’s client business compromise across multiple freelancer portfolios.”

Minute 54 – Tracker Attribution: “You trace the infection source: the fake productivity websites used malvertising through Google Ads. Searches for ‘freelance collaboration tools’ and ‘remote work productivity software’ triggered ads leading to fake download sites. The threat actors specifically targeted keywords freelancers use. This wasn’t random–it was a calculated campaign targeting independent professionals in coworking environments.”

Minute 59 – Communicator Stakeholder Crisis: “Diana Foster reports escalating concerns: ‘A freelancer just told me their client received suspicious login attempts to shared project management tools. The client is asking questions about security practices. Another member posted in our community Slack asking if others experienced similar issues–the conversation is getting tense. People want to know: are their clients’ data safe, and should they be notifying their own customers?’”

Advanced Response Options (Minutes 60-75)

Pressure Event (Minute 62): Robert Chen (Member Services) delivers difficult news: “I have a freelancer whose client contracts require breach notification within 72 hours if credentials are potentially compromised. They’re asking if this incident meets that threshold. If they notify their client about workspace-originated compromise, that client might publicize it. We could be looking at reputation damage beyond our member community. Also, the graphic designer with the Monday pitch? Their client just called Jake Morrison directly asking about our security practices. What’s our official position?”

Enhanced Response Options:

Option D: Comprehensive Member Remediation & Client Protection

• Complete malware removal from all 30+ workstations using dedicated weekend effort
• Provide affected freelancers with client communication templates about potential credential exposure
• Offer workspace-funded password manager subscriptions for all members
• Implement mandatory security orientation for new and existing members

Business Impact: High remediation cost, weekend overtime, but demonstrates workspace commitment Member Impact: Short-term disruption, long-term protection, professional support for client notification Reputation Impact: Transparent approach may build trust; proactive support demonstrates responsibility Type Effectiveness: Comprehensive containment addressing technical and business dimensions

Option E: Selective Deep Cleaning & Liability Management

• Focus intensive remediation on 8 workstations with confirmed credential theft
• Provide those freelancers with professional IR support for client notification
• Implement browser-based protections workspace-wide for remaining systems
• Document member security responsibilities in updated membership agreements

Business Impact: Controlled costs through triage approach; legal protection via policy updates Member Impact: Uneven response–comprehensive for high-risk, basic for others Reputation Impact: May appear cost-focused rather than member-focused Type Effectiveness: Addresses most critical compromises; accepts residual risk on other systems

Option F: External IR Partnership & Professional Standards

• Engage external cybersecurity firm for professional workspace assessment
• Implement findings as workspace security certification (advertising competitive advantage)
• Provide all affected freelancers with complimentary IR consultation
• Transform incident into workspace security differentiator for marketing

Business Impact: Significant investment converts crisis to competitive advantage Member Impact: Professional-grade security builds confidence; valuable member benefit Reputation Impact: Proactive professional response demonstrates workspace quality Type Effectiveness: Comprehensive technical response plus strategic business positioning

NPC Interactions (Introduce throughout Round 2)

Jake Morrison (Workspace Manager) - Business Continuity Focus: “I understand your technical recommendations, but I need to balance member retention with security. We have freelancers who pay $350/month for reliable workspace–if we disrupt their client work too aggressively, they’ll leave regardless of our security improvements. Can we phase the remediation? High-risk systems first, others during scheduled maintenance?”

Carlos Martinez (Network Administrator) - Technical Thoroughness: “Partial cleaning is how organizations end up reinfected within weeks. Every compromised workstation is a potential re-infection source for the shared network. I know it’s disruptive, but we need complete remediation on all 30+ systems, not just the obviously compromised ones. If we cut corners now, we’ll be dealing with this again next month.”

Diana Foster (Community Manager) - Member Trust: “Our community is built on trust and collaboration–that’s why freelancers choose us over coffee shops. Some members are defending us on Slack, saying these incidents happen everywhere. Others are questioning whether we take security seriously. How we handle this will define our community culture. Are we transparent and supportive, or defensive and minimal?”

Robert Chen (Member Services) - Liability & Communication: “I’m getting specific questions I can’t answer without your guidance: Should freelancers notify their clients? Are we liable for any client data compromised through our network? Can we require members to follow specific security practices? Our membership agreements don’t clearly address malware incidents. We need clear direction on what we’re telling people.”

Round 2 Debrief Questions (Minutes 75-85)

1. Layered Response: “How did FakeBat’s pay-per-install model make this incident more complex than simple browser hijacking? What did the secondary payload deployment mean for freelancers and their clients?”

2. Stakeholder Conflicts: “Jake Morrison wanted fast member restoration, Carlos Martinez wanted thorough cleaning, Diana Foster focused on community trust, and Robert Chen worried about liability. How did you navigate these competing legitimate priorities?”

3. Shared Responsibility: “What security responsibilities belong to the workspace versus individual freelancer members? Where’s the boundary between shared infrastructure protection and independent contractor autonomy?”

4. Client Impact: “Several freelancers face potential client notification requirements due to credential theft. How did your response address not just workspace security but freelancers’ professional obligations to their own clients?”

5. Reputation Management: “Did your response communicate competence and care, or did it feel defensive or minimal? How do coworking spaces balance transparency about security incidents with protecting business reputation?”

Key Learning Objectives (Lunch & Learn)

Technical Concepts:

• Software masquerading and fake productivity tool characteristics
• Loader/dropper malware delivering secondary payloads (pay-per-install model)
• Browser hijacking persistence and credential theft progression
• Shared network security challenges in coworking environments

Business Context:

• Balancing freelancer autonomy with workspace security responsibilities
• Member retention pressures during security incidents
• Professional reputation management for service-based businesses
• Client impact considerations beyond immediate workspace scope

Incident Response Skills:

• Triaging 30+ compromised independent systems with varying business impacts
• Communicating security status to non-technical stakeholders with competing priorities
• Developing phased remediation approaches balancing thoroughness with disruption
• Managing reputation during incidents in community-focused business environments

Full Game Materials (120-140 min, 3 rounds)

TipFull Game vs. Lunch & Learn

The Full Game adds open investigation (no guided clues), creative responses (no pre-defined options), and a third round focused on long-term strategic recovery. Rounds run longer (35-45 min each) to allow deeper exploration.

Use the Key Discovery Paths above as your guide for what information is available when players investigate. Use Resolution Pathways to evaluate team decisions. The Lunch & Learn clues and response options are still useful as a personal reference for what “good” investigation and response looks like.

It’s Friday afternoon at Nexus Cowork, and 150 members are working toward Monday client deadlines. Community Manager Diana Foster reports that multiple members across different specializations – designers, developers, consultants, writers – are experiencing browser problems after installing fake productivity software found through Google Ads. Investigation reveals FakeBat loader malware on 30+ workstations, delivered through convincing fake freelancer productivity tools targeting coworking space members searching for collaboration and project management software.

Players investigate openly using their role capabilities. Key discoveries available include the malvertising campaign specifically targeting freelancer productivity searches with geofenced ads, FakeBat loader with browser hijacking and extension injection across 30+ shared workstations, RedLine Stealer and Vidar Infostealer deployment on 8 workstations with client credential exfiltration, and the pay-per-install business model exploiting independent professionals with client access but limited security awareness.

If team stalls: Member Services Manager Robert Chen interrupts: “A freelancer just forwarded an email from their client – the client detected unauthorized login attempts using credentials only our member had. The freelancer is panicking because this client represents 40% of their income. Three prospective members are touring at 4 PM. What do we tell everyone?”

Facilitation questions:

• “30+ independent freelancers are affected, each with their own clients, deadlines, and business concerns. Unlike a single company, you can’t issue one directive – each member is an independent business. How do you coordinate incident response across 30 autonomous professionals?”
• “Client credentials stored in browsers on shared workstations were exfiltrated. Each freelancer has different clients with different data sensitivity. Do you advise all 30+ members to notify their clients simultaneously, or prioritize based on confirmed versus suspected compromise?”
• “The workspace’s value proposition is ‘professional environment for independent work.’ An active malware incident on shared infrastructure contradicts that promise. How do you communicate honestly without destroying the trust that keeps 150 members paying monthly fees?”

Round 1→2 Transition

The team’s containment approach and member communication shape what follows. Coworking environments create a unique stakeholder complexity: each affected member is an independent business with their own clients, deadlines, and professional reputation at risk. The workspace isn’t just managing one incident – it’s coordinating 30+ parallel business crises.

Round 2: Credential Cascade & Liability Crisis (40-45 min)

Deeper forensic analysis reveals the credential theft scope: RedLine Stealer and Vidar Infostealer captured browser-stored credentials from 8 heavily-compromised workstations, including client FTP access, WordPress admin logins, AWS console credentials, and project management system passwords for freelancers across web development, cloud architecture, and graphic design. One freelancer’s client confirms unauthorized access to their project management system. Members are comparing notes in the Slack channel, and the narrative is shifting from “isolated issues” to “workspace security failure.”

If member communication was transparent in Round 1: Members appreciate honesty but are demanding specifics. A web developer asks: “Which systems had credential stealers? I need to know if MY client data was compromised – I can’t just notify all my clients based on uncertainty.” The demand for individual certainty conflicts with forensic investigation timelines.

If member communication was minimized: Members discovered the scope through their own investigation and Slack discussions. Trust in workspace communication is now damaged. A member posts: “They told us ‘isolated issues’ but 30+ systems were compromised. What else are they not telling us?”

Facilitation questions:

• “A freelancer whose client was breached through stolen workspace credentials is asking about liability. Who is responsible when shared coworking infrastructure compromise damages a member’s client relationship – the workspace, the freelancer, or both? Jake Morrison needs an answer before calling the member.”
• “Carlos Martinez discovers that FakeBat adapted to your containment – it switched to a domain generation algorithm after you blocked known C2 domains. Your initial blocklist approach is already obsolete. How do you handle an adversary that evolves faster than your resource-constrained response?”
• “An external security researcher contacts you: they’ve been tracking this FakeBat campaign and offer free technical help, but they’ll present about affected organizations at a conference in two weeks. Do you accept help that comes with eventual public disclosure?”

Round 2→3 Transition

The immediate crisis shifts from technical containment to coworking business model sustainability. The fundamental question emerges: how does a shared workspace operate securely when members need autonomy but share infrastructure, when liability boundaries are unclear, and when trust in shared resources is the entire business proposition?

Round 3: Coworking Model Recovery & Shared Space Security Architecture (40-55 min)

Opening: Two weeks after discovery. All malware has been removed, but the aftermath is revealing the structural challenges of shared workspace security. Four members have left citing security concerns, three prospective members chose competitors, and the community is debating shared infrastructure trust in public forums.

Investigation focus areas:

• Member relationship recovery: individual outreach to affected members, credential monitoring support, client relationship mediation for members whose clients were impacted through workspace compromise
• Shared workspace security architecture: network segmentation (member VLANs), endpoint security standards for shared workstations, DNS filtering, software installation policies that balance security with freelancer autonomy
• Liability and business model: updated membership agreements clarifying security responsibilities, cyber insurance evaluation, tiered membership with security-enhanced options
• Community trust rebuilding: transparent security improvement communication, member security education programs, positioning security as competitive differentiator for professional coworking

Pressure events:

• A freelancer whose client was breached through stolen workspace credentials has hired an attorney claiming negligence in workspace security infrastructure
• The security researcher’s conference presentation is scheduled in 10 days – Nexus Cowork will be identifiable as an affected organization unless they negotiate confidentiality
• A board member proposes pivoting the business model away from shared workstations entirely, arguing the security liability is unmanageable
• Three members organize a ‘workspace security town hall’ and invite all 150 members – the workspace must participate or appear defensive

Facilitation questions:

• “The attorney’s letter argues Nexus Cowork was negligent because shared workstation security was inadequate. Your membership agreement disclaims responsibility for member device security – but these were workspace-provided workstations on a workspace-managed network. Does the disclaimer hold?”
• “At the community town hall, a member asks: ‘Should I assume shared workspace networks are inherently insecure for client work?’ How do you answer honestly while maintaining the business proposition that shared workspaces can be professional environments?”

Victory conditions for full 3-round arc:

• Complete FakeBat removal with comprehensive credential compromise assessment and affected member support across all client relationships
• Liability exposure managed through transparent communication and appropriate member support offerings
• Shared workspace security architecture redesigned: network segmentation, endpoint standards, software controls balancing security with freelancer autonomy
• Community trust rebuilt through transparent post-incident communication and demonstrated security investment

Debrief Focus

• How shared workspace environments create unique incident response challenges when each “user” is an independent business with their own clients and liability exposure
• The liability complexity when shared infrastructure compromise cascades through member-client relationships to organizations that never agreed to the workspace’s security posture
• Balancing freelancer autonomy (the core coworking value proposition) with security controls that restrict the installation freedom that attracted members
• How FakeBat’s targeted malvertising campaign specifically exploited the freelancer demographic that coworking spaces serve
• Building sustainable security for environments where the business model depends on infrastructure sharing but trust depends on infrastructure isolation

Quick Demo Materials (35-40 min)

Guided Investigation Clues

Clue 1 (Minute 5): “You discover that 25+ coworking workstations visited ‘freelance-productivity-pro.co.uk and remote-work-tools-official.co.uk’ over the past two days and downloaded ‘FreelancerPro_Suite.exe and CollabSync_Manager.exe’. Both domains were registered last week.”

Clue 2 (Minute 10): “Analyzing the downloaded files reveals they lack valid publisher digital signatures. Legitimate freelance productivity tools always have verified signatures from recognized business software publishers.”

Clue 3 (Minute 15): “You find new browser extensions installed across freelancer workstations: ‘Remote Work Optimizer and Client Collaboration Plus’. Both have permissions to access client communication data and are injecting business-related advertisements into legitimate professional websites.”

Pre-Defined Response Options

Option A: Workstation Cleaning & Shared Network Policies

• Action: Remove malware from affected freelancer systems, implement shared workspace security policies that balance autonomy with protection, verify network isolation.
• Pros: Completely removes threat and establishes secure coworking environment policies; protects client data across diverse users.
• Cons: Time-intensive workstation-by-workstation remediation; may temporarily limit freelancer software installation flexibility.
• Type Effectiveness: Super effective against Trojan type malmons like FakeBat in shared environments.

Option B: Browser Lockdown & User Education

• Action: Implement browser security policies for shared workspace, reset compromised browsers, provide freelancer education on software verification for business tools.
• Pros: Prevents persistent browser compromises in coworking environment; addresses human factor with targeted education.
• Cons: Doesn’t remove underlying malware that may redeploy during freelancer sessions.
• Type Effectiveness: Moderately effective against Browser Hijacker threats in shared workspaces.

Option C: Network Segmentation & Malicious Domain Blocking

• Action: Segment freelancer network traffic, add malicious domains to workspace firewall blocklist, implement DNS filtering for productivity software downloads.
• Pros: Protects shared infrastructure immediately; prevents additional freelancers from downloading fake business tools.
• Cons: Doesn’t remove already-installed malware from 25+ compromised freelancer workstations.
• Type Effectiveness: Partially effective against Downloader type malmons; protects infrastructure but not endpoints.

Lunch & Learn Materials (75-90 min, 2 rounds)

Round 1: Initial Detection & Coworking Response (35-40 minutes)

Opening Hook & Investigation Phase (Minutes 0-20)

It’s Friday afternoon at Hive Collective, and what should be focused pre-weekend client work has devolved into chaos. Harry Dawson, your workspace manager, looks stressed as he briefs you: ‘We have freelancers reporting browser problems across multiple desks. Some are saying their productivity tools are acting strange, others mention installing collaboration software yesterday. We have people with Monday client deliverables who can’t work reliably. Can you figure out what’s happening before this damages our reputation and people start canceling memberships?’

Time-Stamped Investigation Clues (Present every 3-5 minutes):

Minute 5 – Detective Discovery: “You examine workspace network logs and find something concerning: 25+ different freelancer workstations visited ‘freelance-productivity-pro.co.uk and remote-work-tools-official.co.uk’ over the past 48 hours. Both domains were registered just last week. Download logs show ‘FreelancerPro_Suite.exe and CollabSync_Manager.exe’ installations across multiple independent contractors.”

Minute 8 – Protector Analysis: “Running memory scans on several affected workstations reveals unfamiliar processes: ‘fpro_service.exe and collab_sync.exe’ running from temp directories. These processes are injecting code into browser sessions and have hooks into Chrome, Firefox, and Edge. Digital signature checks show both executables lack valid publisher certificates–legitimate business software always includes verified signatures.”

Minute 12 – Tracker Network Evidence: “DNS query logs reveal the compromised freelancer workstations are making regular connections to ‘cdn-freelance-tools[.]xyz and analytics-workspace-pro[.]net’–both registered to privacy-protected hosting in Eastern Europe. Network traffic analysis shows these aren’t analytics; they’re command-and-control callbacks happening every 15 minutes from 25+ independent systems.”

Minute 16 – Communicator Interviews: “You speak with affected freelancers. Aisha Khan, community manager, shares: ‘Multiple members mentioned they found these tools through searches for remote work collaboration software. The websites looked professional–screenshots, testimonials, the whole package. One freelancer said they installed it because a client deadline was approaching and they needed better project management. Nobody suspected these were fake.’”

Minute 20 – Critical Discovery: “Browser analysis reveals the scope: affected workstations have extensions named ‘Remote Work Optimizer and Client Collaboration Plus’ installed without user knowledge. Both extensions have permissions to: read and change all your data on websites you visit, manage your downloads, and access your tabs. They’re actively injecting advertisements into legitimate freelancer research and redirecting professional searches to malicious sites.”

Response Decision Phase (Minutes 20-35)

Pressure Event (Minute 22): Harry Dawson (Workspace Manager) interrupts with urgency: “I just got off the phone with three long-term members asking if our network is secure. One mentioned they’re considering moving to the coworking space downtown because they can’t risk client data exposure. We need answers now–what do I tell people about their professional data and Monday deliverables?”

Available Response Options:

Option A: Immediate Workstation Quarantine & Staged Cleaning

• Isolate all 25+ affected freelancer workstations from shared network
• Begin systematic malware removal starting with client-deadline freelancers
• Implement temporary guest network for unaffected members
• Create workspace software verification policy before reconnection

Pros: Prevents further spread through shared workspace; prioritizes business-critical freelancers; establishes verification protocol Cons: Significant disruption to 25+ independent businesses; weekend cleaning required; member frustration likely Type Effectiveness: Super effective against Trojan-type spread in coworking environments

Option B: Browser Security Lockdown & Network Filtering

• Reset all affected browsers to default configurations
• Remove malicious extensions and browser modifications
• Implement workspace-wide DNS filtering blocking malicious domains
• Deploy browser security policies for shared workspace systems

Pros: Quick deployment minimizes freelancer downtime; protects client communication channels; prevents new infections Cons: Underlying malware may persist and redeploy; doesn’t address root compromise on 25+ systems Type Effectiveness: Moderately effective against browser hijacking; incomplete against full infection

Option C: Forensic Investigation & Professional Communication

• Document full scope for insurance and potential member notification
• Identify patient zero and infection timeline across freelancers
• Prepare detailed member communication about workspace security
• Engage external IR support for professional assessment

Pros: Comprehensive understanding of compromise; professional documentation; transparency builds trust Cons: Investigation extends member uncertainty; potential news spread hurts reputation; delayed remediation Type Effectiveness: No immediate technical containment; purely investigative approach

Round 1 Debrief Questions (Minutes 35-40)

1. Technical Understanding: “How did FakeBat leverage freelancer productivity desires to compromise 25+ independent systems? What made the fake productivity tools convincing?”

2. Shared Workspace Context: “What security challenges are unique to coworking spaces where independent contractors need autonomy but share network infrastructure?”

3. Stakeholder Balance: “How did you balance Harry Dawson’s need for member retention with Liam O’Sullivan’s recommendation for thorough system cleaning? What trade-offs did you consider?”

4. Response Effectiveness: “Which parts of your response addressed immediate member concerns versus long-term workspace security? Did you explain the difference clearly?”

Round 2: Containment & Coworking Trust (35-45 minutes)

Evolution Narrative (Minute 40)

IM Transition Based on Round 1 Choice:

If Option A (Workstation Quarantine) was chosen: “Your systematic cleaning approach is working, but it’s Saturday morning and you’re only through 12 of 25+ compromised workstations. Harry Dawson calls with concerning news: ‘Five members with Monday client deliverables are asking when they’ll have access again. One mentioned they might work from a coffee shop this weekend using their compromised laptop. Also, Ben Griffiths reports three prospective members toured yesterday, and two asked pointed questions about our recent security issues. How do we handle this?’”

If Option B (Browser Lockdown) was chosen: “Your browser security measures deployed quickly and members are back to work–but Liam O’Sullivan has troubling findings: ‘The browser fixes were surface-level. I’m still detecting ’fpro_service.exe’ running on 20+ workstations, and it’s attempting to reinstall the browser extensions every few hours. We blocked the C2 domains, but the malware is trying alternative communication methods. We need deeper remediation, but that means re-disrupting freelancers who think everything’s fixed.’”

If Option C (Investigation) was chosen: “Your forensic documentation is comprehensive, but it’s Saturday afternoon and Harry Dawson is receiving member cancellation emails. ‘Four freelancers notified us they’re not renewing next month, citing security concerns. Your investigation report is detailed, but members want to know what we’re DOING, not just what happened. We have compromised systems still operating in our workspace, and our reputation is deteriorating while we document.’”

Advanced Investigation Clues (Present every 4-5 minutes)

Minute 44 – Detective Depth: “Deeper analysis of ‘FreelancerPro_Suite.exe’ reveals it’s a loader–its job is delivering additional payloads. You find evidence of secondary infections: RedLine Stealer and Vidar Infostealer deployed to 8 workstations where freelancers had saved client passwords in browsers. Those freelancers’ client credentials may be compromised. This explains FakeBat’s pay-per-install business model–it monetizes by loading other malware families.”

Minute 49 – Protector Findings: “Memory forensics on heavily-infected systems shows credential theft in action. Browser password stores were accessed on workstations belonging to freelancers in web development, graphic design, and consulting. Client FTP credentials, WordPress logins, AWS console access–all potentially exfiltrated. This isn’t just workspace disruption; it’s client business compromise across multiple freelancer portfolios.”

Minute 54 – Tracker Attribution: “You trace the infection source: the fake productivity websites used malvertising through Google Ads. Searches for ‘freelance collaboration tools’ and ‘remote work productivity software’ triggered ads leading to fake download sites. The threat actors specifically targeted keywords freelancers use. This wasn’t random–it was a calculated campaign targeting independent professionals in coworking environments.”

Minute 59 – Communicator Stakeholder Crisis: “Aisha Khan reports escalating concerns: ‘A freelancer just told me their client received suspicious login attempts to shared project management tools. The client is asking questions about security practices. Another member posted in our community Slack asking if others experienced similar issues–the conversation is getting tense. People want to know: are their clients’ data safe, and should they be notifying their own customers?’”

Advanced Response Options (Minutes 60-75)

Pressure Event (Minute 62): Ben Griffiths (Member Services) delivers difficult news: “I have a freelancer whose client contracts require breach notification within 72 hours if credentials are potentially compromised. They’re asking if this incident meets that threshold. If they notify their client about workspace-originated compromise, that client might publicize it. We could be looking at reputation damage beyond our member community. Also, the graphic designer with the Monday pitch? Their client just called Harry Dawson directly asking about our security practices. What’s our official position?”

Enhanced Response Options:

Option D: Comprehensive Member Remediation & Client Protection

• Complete malware removal from all 25+ workstations using dedicated weekend effort
• Provide affected freelancers with client communication templates about potential credential exposure
• Offer workspace-funded password manager subscriptions for all members
• Implement mandatory security orientation for new and existing members

Business Impact: High remediation cost, weekend overtime, but demonstrates workspace commitment Member Impact: Short-term disruption, long-term protection, professional support for client notification Reputation Impact: Transparent approach may build trust; proactive support demonstrates responsibility Type Effectiveness: Comprehensive containment addressing technical and business dimensions

Option E: Selective Deep Cleaning & Liability Management

• Focus intensive remediation on 8 workstations with confirmed credential theft
• Provide those freelancers with professional IR support for client notification
• Implement browser-based protections workspace-wide for remaining systems
• Document member security responsibilities in updated membership agreements

Business Impact: Controlled costs through triage approach; legal protection via policy updates Member Impact: Uneven response–comprehensive for high-risk, basic for others Reputation Impact: May appear cost-focused rather than member-focused Type Effectiveness: Addresses most critical compromises; accepts residual risk on other systems

Option F: External IR Partnership & Professional Standards

• Engage external cybersecurity firm for professional workspace assessment
• Implement findings as workspace security certification (advertising competitive advantage)
• Provide all affected freelancers with complimentary IR consultation
• Transform incident into workspace security differentiator for marketing

Business Impact: Significant investment converts crisis to competitive advantage Member Impact: Professional-grade security builds confidence; valuable member benefit Reputation Impact: Proactive professional response demonstrates workspace quality Type Effectiveness: Comprehensive technical response plus strategic business positioning

NPC Interactions (Introduce throughout Round 2)

Harry Dawson (Workspace Manager) - Business Continuity Focus: “I understand your technical recommendations, but I need to balance member retention with security. We have freelancers who pay £280/month for reliable workspace–if we disrupt their client work too aggressively, they’ll leave regardless of our security improvements. Can we phase the remediation? High-risk systems first, others during scheduled maintenance?”

Liam O’Sullivan (Network Administrator) - Technical Thoroughness: “Partial cleaning is how organizations end up reinfected within weeks. Every compromised workstation is a potential re-infection source for the shared network. I know it’s disruptive, but we need complete remediation on all 25+ systems, not just the obviously compromised ones. If we cut corners now, we’ll be dealing with this again next month.”

Aisha Khan (Community Manager) - Member Trust: “Our community is built on trust and collaboration–that’s why freelancers choose us over coffee shops. Some members are defending us on Slack, saying these incidents happen everywhere. Others are questioning whether we take security seriously. How we handle this will define our community culture. Are we transparent and supportive, or defensive and minimal?”

Ben Griffiths (Member Services) - Liability & Communication: “I’m getting specific questions I can’t answer without your guidance: Should freelancers notify their clients? Are we liable for any client data compromised through our network? Can we require members to follow specific security practices? Our membership agreements don’t clearly address malware incidents. We need clear direction on what we’re telling people.”

Round 2 Debrief Questions (Minutes 75-85)

1. Layered Response: “How did FakeBat’s pay-per-install model make this incident more complex than simple browser hijacking? What did the secondary payload deployment mean for freelancers and their clients?”

2. Stakeholder Conflicts: “Harry Dawson wanted fast member restoration, Liam O’Sullivan wanted thorough cleaning, Aisha Khan focused on community trust, and Ben Griffiths worried about liability. How did you navigate these competing legitimate priorities?”

3. Shared Responsibility: “What security responsibilities belong to the workspace versus individual freelancer members? Where’s the boundary between shared infrastructure protection and independent contractor autonomy?”

4. Client Impact: “Several freelancers face potential client notification requirements due to credential theft. How did your response address not just workspace security but freelancers’ professional obligations to their own clients?”

5. Reputation Management: “Did your response communicate competence and care, or did it feel defensive or minimal? How do coworking spaces balance transparency about security incidents with protecting business reputation?”

Key Learning Objectives (Lunch & Learn)

Technical Concepts:

• Software masquerading and fake productivity tool characteristics
• Loader/dropper malware delivering secondary payloads (pay-per-install model)
• Browser hijacking persistence and credential theft progression
• Shared network security challenges in coworking environments

Business Context:

• Balancing freelancer autonomy with workspace security responsibilities
• Member retention pressures during security incidents
• Professional reputation management for service-based businesses
• Client impact considerations beyond immediate workspace scope

Incident Response Skills:

• Triaging 25+ compromised independent systems with varying business impacts
• Communicating security status to non-technical stakeholders with competing priorities
• Developing phased remediation approaches balancing thoroughness with disruption
• Managing reputation during incidents in community-focused business environments

Full Game Materials (120-140 min, 3 rounds)

TipFull Game vs. Lunch & Learn

The Full Game adds open investigation (no guided clues), creative responses (no pre-defined options), and a third round focused on long-term strategic recovery. Rounds run longer (35-45 min each) to allow deeper exploration.

Use the Key Discovery Paths above as your guide for what information is available when players investigate. Use Resolution Pathways to evaluate team decisions. The Lunch & Learn clues and response options are still useful as a personal reference for what “good” investigation and response looks like.

It’s Friday afternoon at Hive Collective, and 120 members are working toward Monday client deadlines. Community Manager Aisha Khan reports that multiple members across different specializations – designers, developers, consultants, writers – are experiencing browser problems after installing fake productivity software found through Google Ads. Investigation reveals FakeBat loader malware on 25+ workstations, delivered through convincing fake freelancer productivity tools targeting coworking space members searching for collaboration and project management software.

Players investigate openly using their role capabilities. Key discoveries available include the malvertising campaign specifically targeting freelancer productivity searches with geofenced ads, FakeBat loader with browser hijacking and extension injection across 25+ shared workstations, RedLine Stealer and Vidar Infostealer deployment on 8 workstations with client credential exfiltration, and the pay-per-install business model exploiting independent professionals with client access but limited security awareness.

If team stalls: Member Services Manager Ben Griffiths interrupts: “A freelancer just forwarded an email from their client – the client detected unauthorized login attempts using credentials only our member had. The freelancer is panicking because this client represents 40% of their income. Three prospective members are touring at 4 PM. What do we tell everyone?”

Facilitation questions:

• “25+ independent freelancers are affected, each with their own clients, deadlines, and business concerns. Unlike a single company, you can’t issue one directive – each member is an independent business. How do you coordinate incident response across 30 autonomous professionals?”
• “Client credentials stored in browsers on shared workstations were exfiltrated. Each freelancer has different clients with different data sensitivity. Do you advise all 25+ members to notify their clients simultaneously, or prioritize based on confirmed versus suspected compromise?”
• “The workspace’s value proposition is ‘professional environment for independent work.’ An active malware incident on shared infrastructure contradicts that promise. How do you communicate honestly without destroying the trust that keeps 120 members paying monthly fees?”

Round 1→2 Transition

The team’s containment approach and member communication shape what follows. Coworking environments create a unique stakeholder complexity: each affected member is an independent business with their own clients, deadlines, and professional reputation at risk. The workspace isn’t just managing one incident – it’s coordinating 25+ parallel business crises.

Round 2: Credential Cascade & Liability Crisis (40-45 min)

Deeper forensic analysis reveals the credential theft scope: RedLine Stealer and Vidar Infostealer captured browser-stored credentials from 8 heavily-compromised workstations, including client FTP access, WordPress admin logins, AWS console credentials, and project management system passwords for freelancers across web development, cloud architecture, and graphic design. One freelancer’s client confirms unauthorized access to their project management system. Members are comparing notes in the Slack channel, and the narrative is shifting from “isolated issues” to “workspace security failure.”

If member communication was transparent in Round 1: Members appreciate honesty but are demanding specifics. A web developer asks: “Which systems had credential stealers? I need to know if MY client data was compromised – I can’t just notify all my clients based on uncertainty.” The demand for individual certainty conflicts with forensic investigation timelines.

If member communication was minimized: Members discovered the scope through their own investigation and Slack discussions. Trust in workspace communication is now damaged. A member posts: “They told us ‘isolated issues’ but 25+ systems were compromised. What else are they not telling us?”

Facilitation questions:

• “A freelancer whose client was breached through stolen workspace credentials is asking about liability. Who is responsible when shared coworking infrastructure compromise damages a member’s client relationship – the workspace, the freelancer, or both? Harry Dawson needs an answer before calling the member.”
• “Liam O’Sullivan discovers that FakeBat adapted to your containment – it switched to a domain generation algorithm after you blocked known C2 domains. Your initial blocklist approach is already obsolete. How do you handle an adversary that evolves faster than your resource-constrained response?”
• “An external security researcher contacts you: they’ve been tracking this FakeBat campaign and offer free technical help, but they’ll present about affected organizations at a conference in two weeks. Do you accept help that comes with eventual public disclosure?”

Round 2→3 Transition

The immediate crisis shifts from technical containment to coworking business model sustainability. The fundamental question emerges: how does a shared workspace operate securely when members need autonomy but share infrastructure, when liability boundaries are unclear, and when trust in shared resources is the entire business proposition?

Round 3: Coworking Model Recovery & Shared Space Security Architecture (40-55 min)

Opening: Two weeks after discovery. All malware has been removed, but the aftermath is revealing the structural challenges of shared workspace security. Four members have left citing security concerns, three prospective members chose competitors, and the community is debating shared infrastructure trust in public forums.

Investigation focus areas:

• Member relationship recovery: individual outreach to affected members, credential monitoring support, client relationship mediation for members whose clients were impacted through workspace compromise
• Shared workspace security architecture: network segmentation (member VLANs), endpoint security standards for shared workstations, DNS filtering, software installation policies that balance security with freelancer autonomy
• Liability and business model: updated membership agreements clarifying security responsibilities, cyber insurance evaluation, tiered membership with security-enhanced options
• Community trust rebuilding: transparent security improvement communication, member security education programs, positioning security as competitive differentiator for professional coworking

Pressure events:

• A freelancer whose client was breached through stolen workspace credentials has hired an attorney claiming negligence in workspace security infrastructure
• The security researcher’s conference presentation is scheduled in 10 days – Hive Collective will be identifiable as an affected organization unless they negotiate confidentiality
• A board member proposes pivoting the business model away from shared workstations entirely, arguing the security liability is unmanageable
• Three members organize a ‘workspace security town hall’ and invite all 120 members – the workspace must participate or appear defensive

Facilitation questions:

• “The attorney’s letter argues Hive Collective was negligent because shared workstation security was inadequate. Your membership agreement disclaims responsibility for member device security – but these were workspace-provided workstations on a workspace-managed network. Does the disclaimer hold?”
• “At the community town hall, a member asks: ‘Should I assume shared workspace networks are inherently insecure for client work?’ How do you answer honestly while maintaining the business proposition that shared workspaces can be professional environments?”

Victory conditions for full 3-round arc:

• Complete FakeBat removal with comprehensive credential compromise assessment and affected member support across all client relationships
• Liability exposure managed through transparent communication and appropriate member support offerings
• Shared workspace security architecture redesigned: network segmentation, endpoint standards, software controls balancing security with freelancer autonomy
• Community trust rebuilt through transparent post-incident communication and demonstrated security investment

Debrief Focus

• How shared workspace environments create unique incident response challenges when each “user” is an independent business with their own clients and liability exposure
• The liability complexity when shared infrastructure compromise cascades through member-client relationships to organizations that never agreed to the workspace’s security posture
• Balancing freelancer autonomy (the core coworking value proposition) with security controls that restrict the installation freedom that attracted members
• How FakeBat’s targeted malvertising campaign specifically exploited the freelancer demographic that coworking spaces serve
• Building sustainable security for environments where the business model depends on infrastructure sharing but trust depends on infrastructure isolation

Advanced Challenge Materials (150-170 min)

Red Herrings & Misdirection

1. Legitimate productivity tools: Several freelancers installed genuine productivity software the same week – real Notion, Slack, and Asana desktop apps create installation patterns indistinguishable from FakeBat delivery without deep analysis.
2. Workspace software deployment: {{npc_network_admin}} pushed legitimate workspace management software on Tuesday that modified browser settings, creating alerts that overlap with malware indicators and complicate forensic timeline.
3. Member-owned device crossover: Some members used personal laptops on the workspace network during the compromise period – their devices show network indicators that may be unrelated personal browsing activity.
4. Network performance issues: Aging network infrastructure creates intermittent performance problems that members attribute to the malware incident, generating false reports of ongoing compromise.

Removed Resources & Constraints

• No malware reference guides or incident response frameworks during gameplay – players must identify FakeBat’s multi-stage behavior from observed indicators
• {{npc_network_admin}} has network administration skills but limited security training – his technical recommendations address symptoms without necessarily addressing root causes
• No budget for external incident response – the workspace operates on thin margins and emergency funds require board approval
• Member-owned devices on the shared network cannot be forensically examined without individual member consent, creating permanent investigation blind spots

Enhanced Pressure

• Prospective member tour group arrives during Round 1 investigation, forcing a real-time decision about transparency vs. optics
• A member discovers their personal crypto wallet was drained using credentials stolen from the workspace workstation – the financial impact is immediate and significant
• The workspace’s landlord learns about the incident and questions whether it affects lease terms regarding “operating a professional business environment”
• A freelancer community blog publishes a detailed post about the incident with 200+ comments, most critical of coworking space security practices

Ethical Dilemmas

1. Member business impact accountability: A freelancer lost their largest client due to workspace-compromised credentials. The workspace didn’t promise cybersecurity protection, but the member reasonably expected professional infrastructure. What does the workspace owe this member – apology, compensation, both, neither?
2. False positive disruption: 8 members whose systems were quarantined turned out to be clean – their client work was interrupted unnecessarily. They want compensation for lost productivity. Do you compensate and set a precedent, or explain that false positives are unavoidable in incident response?
3. Notification uncertainty: {{npc_network_admin}} has 80% confidence that 6 systems had credentials stolen, 60% for 2 more, and 40% for 4 others. Each notification carries professional consequences for the affected freelancer. What confidence threshold triggers client notification – certainty, high probability, or any suspicion?
4. Community transparency vs. member privacy: Full public disclosure about the incident scope helps the community understand the risk but identifies which members were affected. Affected members have asked for privacy to protect their professional reputation. How do you serve community transparency while respecting individual privacy?

Advanced Debrief Topics

• How shared workspace environments create unique incident response challenges when each “user” is an independent business with their own clients and liability exposure
• The liability complexity when shared infrastructure compromise cascades through member-client relationships to organizations that never agreed to the workspace’s security posture
• Balancing freelancer autonomy (the core coworking value proposition) with security controls that restrict the installation freedom that attracted members
• How FakeBat’s targeted malvertising campaign specifically exploited the freelancer demographic that coworking spaces serve
• Building sustainable security for environments where the business model depends on infrastructure sharing but trust depends on infrastructure isolation