FakeBat Scenario: Nonprofit Organization Deception
Planning Resources
Scenario Details for IMs
Community Outreach Foundation: Charitable Mission Crisis During Fundraising Gala
Organization Profile
- Type: Charitable nonprofit organization providing emergency food assistance, transitional housing support, job training programs, family counseling services, and community outreach for underserved populations across urban and rural communities
- Size: 35 active volunteers (15 regular volunteers providing weekly service, 20 occasional volunteers supporting special events and seasonal programs) plus 3 paid staff including executive director, program coordinator, and part-time volunteer coordinator managing donor relations, grant writing, and community partnerships across three-county service region
- Annual Operations: Serving 500 families annually through $400,000 operating budget funded 60% by private donations, 25% by foundation grants, and 15% by government contracts, coordinating emergency food distribution providing 12,000 meals monthly to families facing food insecurity, managing transitional housing programs supporting 45 families escaping homelessness or domestic violence situations, operating job training workshops preparing 120 participants annually for employment opportunities, maintaining donor database tracking 850 individual contributors and 40 corporate sponsors, utilizing volunteer-managed technology systems including public cloud services for donor management, fundraising coordination, and program service tracking, and depending on community trust and donor confidence to sustain charitable mission serving vulnerable populations
- Current Fundraising Crisis: Annual fundraising gala Thursday evening generating 60% of program funding ($240,000)—event features 200 donors, community partners, and local officials, but browser-based malware discovery Tuesday threatens both event coordination systems and donor database security, creating impossible choice between fundraising continuity and donor information protection
Key Assets & Impact
Asset Category 1: Fundraising Gala Revenue & Annual Program Sustainability - Thursday gala generates $240K representing 60% annual budget, cancellation eliminates emergency food programs serving 500 families, transitional housing support for 45 homeless families depends on fundraising success
Asset Category 2: Donor Trust & Community Confidence - 850 donors contribute because they trust nonprofit protects personal information, browser malware compromise threatens donor credit card data and contact information, trust damage permanently eliminates charitable giving and community support
Asset Category 3: Volunteer Safety & Service Delivery Continuity - 35 volunteers operate infected systems accessing donor data and program participant information, malware risk creates liability for volunteer safety versus service delivery to vulnerable populations depending on nonprofit support
Immediate Business Pressure
Tuesday Morning, 9:30 AM - 48 Hours Before Fundraising Gala:
Volunteer Coordinator Mike Thompson discovered browser-based malware infections across volunteer systems used for donor outreach, gala coordination, and fundraising database management. Fakebat—malicious software delivered through compromised browser updates targeting nonprofit organizations—had infected 12 volunteer computers during past three weeks, potentially compromising donor credit card information, contact databases, and fundraising campaign materials.
The annual fundraising gala was Thursday evening—48 hours away. The event represented $240,000 in donations supporting emergency food programs feeding 500 families, transitional housing for 45 homeless families, and job training programs. Event preparations required volunteer coordination using infected systems for donor outreach, auction management, and program presentations.
But browser malware threatened donor database security. If credit card information or personal data had been compromised, Community Outreach Foundation faced impossible choice: continue gala preparations risking donor trust versus cancel event eliminating 60% annual budget and emergency services for vulnerable populations.
Critical Timeline & Operational Deadlines
- Three weeks ago: Fakebat infiltration via compromised browser updates on volunteer systems
- Tuesday, 9:30 AM (Session Start): Malware discovery 48 hours before fundraising gala
- Thursday, 6:00 PM: Annual fundraising gala begins, $240K revenue target representing 60% annual budget
- Post-gala: Donor notification obligations, credit card company cooperation, community trust restoration
Cultural & Organizational Factors
Factor 1: Volunteer technology users with diverse skill levels normalized clicking browser update prompts despite security warnings
Factor 2: Minimal IT budget and donated equipment prevented enterprise security controls and technical monitoring
Factor 3: Fundraising pressure prioritized donor outreach productivity over volunteer system security verification
Factor 4: Community trust mission created organizational fear that security incident disclosure would eliminate charitable donations
Operational Context
Nonprofit organizations operate under charitable mission imperatives where donor trust, volunteer safety, and service delivery to vulnerable populations create ethical obligations beyond commercial considerations—security incidents affecting donor information or volunteer systems threaten organizational survival not through financial losses but through community confidence erosion that eliminates charitable giving sustaining essential social services for underserved families.
Key Stakeholders
Stakeholder 1: Mike Thompson - Volunteer Coordinator Stakeholder 2: Jennifer Martinez - Executive Director Stakeholder 3: Sarah Chen - Program Coordinator Stakeholder 4: Major Donor Representative
Why This Matters
You’re not just removing browser-based malware from nonprofit systems—you’re determining whether fundraising continuity obligations override donor information protection when gala cancellation threatens emergency services for 500 vulnerable families.
You’re not just protecting donor databases—you’re defining whether charitable organizations prioritize community trust through transparent security incident disclosure, or preserve mission funding through event continuation despite malware compromise risks.
IM Facilitation Notes
1. Emphasize dual impact—volunteer safety AND vulnerable family services both depend on fundraising success
2. Make gala timing tangible—48-hour window with $240K (60% annual budget) creates genuine resource pressure
3. Use volunteer technology environment to explore security challenges in resource-constrained nonprofit settings
4. Present Fakebat as deliberate nonprofit targeting exploiting trust-based volunteer coordination
5. Address nonprofit responsibility balancing mission delivery against donor protection obligations
6. Celebrate transparent donor communication prioritizing community trust despite fundraising and service impacts
Opening Presentation
“It’s Tuesday morning at Community Outreach Foundation, and what should be final preparations for Thursday’s annual fundraising gala has turned into a crisis. Multiple volunteer computers are showing concerning behavior - browsers redirecting to unexpected websites, persistent advertisements appearing during donor communications, and staff reporting they installed ‘critical security updates’ and ‘data protection software’ yesterday. With your biggest fundraising event in two days and donor confidence on the line, investigate what’s happening before browser compromise destroys both your funding and your community reputation.”
Initial Symptoms to Present:
Key Discovery Paths:
Detective Investigation Leads:
Protector System Analysis:
Tracker Network Investigation:
Communicator Stakeholder Interviews:
Mid-Scenario Pressure Points:
- Hour 2: Major donor calls to confirm gala attendance - requires functional volunteer systems for event coordination
- Hour 3: Executive Director demands explanation for why volunteer productivity has dropped before critical fundraising event
- Hour 4: Development manager reports potential donor is questioning organization’s cybersecurity after seeing browser issues during site visit
Evolution Triggers:
- If containment takes longer than 3 hours, FakeBat begins targeting donor database connections
- If browser security isn’t addressed, malware creates persistent infection vectors across volunteer systems
- If fake software source isn’t identified, additional volunteers may install similar nonprofit-targeted malware
Resolution Pathways:
Technical Success Indicators:
- Team identifies FakeBat through software verification and nonprofit-targeted browser behavior analysis
- Browser security hardening prevents future unauthorized installations targeting volunteer systems
- Software installation policies prevent masquerading attacks in nonprofit volunteer environment
Business Success Indicators:
- Fundraising gala proceeds with minimal impact despite security incident
- Donor confidence maintained through transparent communication about volunteer system protection
- Volunteer operations continue while removing malware from affected workstations
Learning Success Indicators:
- Team understands how software masquerading exploits nonprofit resource constraints and volunteer trust
- Participants recognize importance of software verification in volunteer-based technology environments
- Group demonstrates balance between volunteer autonomy and security controls for charitable organizations
Common IM Facilitation Challenges:
If Team Focuses Too Heavily on Technical Details:
“That’s excellent analysis of the nonprofit-targeted browser hijacking techniques. How does this information help you communicate the security status to the major donor who’s calling about the gala?”
If Business Stakeholders Are Ignored:
“While you’re conducting this investigation, Maria just received another call from the board asking about Thursday’s fundraising event. How do you handle that conversation?”
If Software Masquerading Aspect Is Missed:
“The technical indicators are clear, but why did volunteers trust these particular ‘security updates’ and ‘data protection tools’ during this specific time period before the gala?”
Success Metrics for Session:
Template Compatibility
Quick Demo (35-40 min)
- Rounds: 1
- Actions per Player: 1
- Investigation: Guided
- Response: Pre-defined
- Focus: Use the “Hook” and “Initial Symptoms” to quickly establish nonprofit crisis. Present the “Guided Investigation Clues” at 5-minute intervals. Offer the “Pre-Defined Response Options” for the team to choose from. Quick debrief should focus on recognizing nonprofit-targeted fake software and volunteer system security risks.
Lunch & Learn (75-90 min)
- Rounds: 2
- Actions per Player: 2
- Investigation: Guided
- Response: Pre-defined
- Focus: This template allows for deeper exploration of nonprofit cybersecurity challenges. Use the full set of NPCs to create realistic charitable organization decision-making pressures. The two rounds allow FakeBat to progress toward donor database, raising stakes. Debrief can explore balance between volunteer productivity and security controls in resource-constrained environments.
Full Game (120-140 min)
- Rounds: 3
- Actions per Player: 2
- Investigation: Open
- Response: Creative
- Focus: Players have freedom to investigate using the “Key Discovery Paths” as IM guidance. They must develop response strategies balancing volunteer system security, donor protection, organizational operations, and community trust. The three rounds allow for full narrative arc including villain’s nonprofit-specific multi-stage attack plan.
Advanced Challenge (150-170 min)
- Rounds: 3
- Actions per Player: 2
- Investigation: Open
- Response: Creative
- Complexity: Add red herrings (e.g., legitimate nonprofit software updates causing unrelated performance issues). Make containment ambiguous, requiring players to justify donor-facing decisions with incomplete information. Remove access to reference materials to test knowledge recall of nonprofit cybersecurity principles.
Quick Demo Materials (35-40 min)
Guided Investigation Clues
Clue 1 (Minute 5): “You discover that multiple volunteer workstations visited ‘nonprofit-security-tools.org’ and ‘charity-data-protection.com’ yesterday and downloaded ‘NonprofitSecure_Suite.exe’ and ‘DonorProtect_Tool.exe’. Both domains were registered last week.”
Clue 2 (Minute 10): “Analyzing the downloaded files reveals they lack valid publisher digital signatures. Legitimate nonprofit security tools would have verified signatures from recognized cybersecurity vendors.”
Clue 3 (Minute 15): “You find new browser extensions installed on volunteer workstations: ‘Nonprofit Data Guard’ and ‘Charity Security Helper’. Both have permissions to access donor information and payment data, and are injecting charity-related advertisements into legitimate nonprofit websites.”
Pre-Defined Response Options
Option A: Remove Malware & Verify Nonprofit Software
- Action: Uninstall unauthorized software and browser extensions, remove FakeBat components, verify all nonprofit tools are from legitimate sources, implement software verification procedures for volunteers.
- Pros: Completely removes the threat and establishes software verification for volunteer environment; protects donor data.
- Cons: Time-consuming; may require reinstalling legitimate nonprofit software and retraining volunteers on security procedures.
- Type Effectiveness: Super effective against Trojan type malmons like FakeBat.
Option B: Browser Security Hardening for Volunteers
- Action: Reset all affected browsers to default settings, disable unauthorized extensions, implement browser security policies for volunteer systems to prevent future nonprofit-targeted modifications.
- Pros: Stops browser hijacking and prevents future unauthorized changes; relatively quick for volunteer systems; protects donor communications.
- Cons: Doesn’t address the underlying malware that may deploy additional payloads to volunteer workstations.
- Type Effectiveness: Moderately effective against Browser Hijacker type threats.
Option C: Block Nonprofit-Targeted Malicious Infrastructure
- Action: Add ‘nonprofit-security-tools.org’, ‘charity-data-protection.com’ and related domains to firewall blocklist, preventing communication with malware distribution servers targeting charitable organizations.
- Pros: Prevents additional volunteers from downloading fake nonprofit security tools; stops malware from receiving commands.
- Cons: Doesn’t remove already-installed malware or fix compromised volunteer browsers.
- Type Effectiveness: Partially effective against Downloader type malmons.
Lunch & Learn Materials (75-90 min, 2 rounds)
Round 1: Initial Detection & Fundraising Gala Crisis (35-40 minutes)
Opening Hook: Tuesday morning, 48 hours before annual fundraising gala. Volunteer computers showing browser redirects, persistent advertisements during donor communications. Staff report installing “critical security updates” and “data protection software” yesterday to protect donor information.
Time-Stamped Investigation Clues: - Minute 5: Multiple volunteer workstations visited ‘nonprofit-security-tools.org’ and ‘charity-data-protection.com’, downloaded ‘NonprofitSecure_Suite.exe’ and ‘DonorProtect_Tool.exe’ (domains registered last week) - Minute 8: Memory scans reveal unfamiliar processes injecting into browsers, lack valid digital signatures (legitimate nonprofit security tools have verified certificates) - Minute 12: DNS logs show connections to privacy-protected hosting, C2 callbacks every 15 minutes from volunteer systems - Minute 16: Volunteers found tools through searches for “nonprofit cybersecurity compliance” and “charity data protection”, fake security warnings appeared during donor database work - Minute 20: Browser extensions ‘Nonprofit Data Guard’ and ‘Charity Security Helper’ installed with permissions to access donor information and payment data, injecting charity-related advertisements
Pressure Event (Minute 22): Major donor calls to confirm gala attendance, requires functional volunteer systems for event coordination. Executive Director demands explanation for why volunteer productivity has dropped before critical fundraising event.
Response Options: - Option A: Complete volunteer workstation malware removal, software verification for nonprofit environment, donor communication system protection - Option B: Browser security hardening for volunteer systems, reset compromised browsers, disable unauthorized extensions, implement policies preventing nonprofit-targeted modifications - Option C: Forensic investigation for insurance documentation, identify patient zero and infection timeline, prepare detailed volunteer/donor communication, engage external IR support
Round 1 Debrief: How did FakeBat exploit nonprofit resource constraints and volunteer trust? What makes fake security and data protection tools convincing to charitable organizations? How did you balance Maria’s need for gala operations with volunteer system cleaning?
Round 2: Donor Database Threat & Client Notification (35-45 minutes)
Evolution Based on Round 1 Choice: Workstation cleaning progressing but incomplete, browser fixes surface-level with underlying malware persisting, or comprehensive investigation delaying remediation with donor concerns escalating.
Advanced Investigation Clues: - Minute 44: ‘NonprofitSecure_Suite.exe’ is loader delivering RedLine Stealer to volunteer systems accessing donor database—volunteer credentials, donor contact information, payment processing access potentially exfiltrated - Minute 49: Memory forensics shows credential theft from volunteers managing donor relations, grant applications, fundraising systems—organizational access to sensitive community data compromised - Minute 54: Attribution reveals malvertising targeting nonprofit cybersecurity searches, geofenced to areas with charitable organizations, campaign specifically designed to compromise organizations with limited security resources - Minute 59: Volunteer reports their donor management credentials were used for unauthorized access attempts—donor questioning organization’s cybersecurity, potential gala attendance withdrawal
Pressure Event (Minute 62): Legal counsel guidance complicated—membership agreements lack specifics about volunteer system compromises or donor data exposure. Recommends offering affected volunteers complimentary cybersecurity services ($200-300 per volunteer, 15 volunteers = $3,000-4,500 unbudgeted expense). Board asking if this creates legal admission of liability.
Enhanced Response Options: - Option D: Comprehensive volunteer remediation with donor protection templates, workspace-funded security tools, mandatory volunteer security orientation - Option E: Selective deep cleaning on high-risk volunteer systems with donor access, implement browser protections organization-wide, document volunteer security responsibilities in updated agreements - Option F: External IR partnership for professional nonprofit assessment, implement findings as security certification, provide volunteers with complimentary consultation, transform incident into organizational security differentiator
NPC Interactions: - Maria Santos (Executive Director): Balancing donor confidence with volunteer support, gala represents 30% annual funding, cannot afford donor withdrawal - David Park (Volunteer Coordinator): Volunteer retention during crisis, some volunteers defensive about social engineering, others demanding better organizational security - Rebecca Foster (Development Manager): Donor relations and fundraising impact, major donors questioning organizational competence, grant funder cybersecurity requirements - Mike Johnson (IT Volunteer Coordinator): Limited IT budget and volunteer technical skills, basic security practices need improvement, resource constraints make comprehensive solutions difficult
Round 2 Debrief: How did FakeBat’s pay-per-install model (loader deploying RedLine Stealer) target nonprofit donor databases? What competing priorities did NPCs present regarding volunteer support vs. donor protection vs. gala operations? How did you balance volunteer autonomy with security controls for resource-constrained charitable organizations?
Key Learning Objectives (Lunch & Learn)
Technical: Software masquerading targeting nonprofits, loader/dropper delivering credential stealers, browser hijacking affecting donor communications, volunteer system security in resource-constrained environments
Business: Fundraising event operations, donor confidence management, volunteer coordination during incidents, nonprofit liability with limited budgets, grant funder security requirements
Incident Response: Triaging volunteer systems with donor access, donor notification decision-making with uncertain data exposure, balancing event operations with security, managing stakeholder conflicts in charitable contexts
Full Game Materials (120-140 min, 3 rounds)
Round 1: Discovery & Gala Preparation Crisis (35-40 minutes)
Opening: Community Outreach Foundation, Tuesday morning, 48 hours before annual fundraising gala. Multiple volunteer computers experiencing browser issues after installing fake nonprofit security tools.
Investigation Paths: Detective (software installation analysis), Protector (volunteer system forensics), Tracker (nonprofit-targeted campaign attribution), Communicator (volunteer/donor interviews)
Pressure Events: Major donor gala confirmation (Minute 12), board demanding volunteer productivity explanation (Minute 18), development manager reporting potential donor questioning organizational security (Minute 22)
Player-Developed Responses: Players create containment strategies balancing volunteer system security, donor protection, gala operations, and nonprofit reputation
Round 2: Donor Database Compromise & Volunteer Credential Theft (40-45 minutes)
Evolution: RedLine Stealer deployment on volunteer systems with donor database access, organizational credential exfiltration, donor contact information exposure, unauthorized access attempts using volunteer credentials
Advanced Investigation: Attribution reveals targeted nonprofit campaign, fake security compliance messaging, volunteer trust exploitation through data protection fears
Complex Decisions: Donor notification with uncertain exposure, volunteer support during credential compromise, gala communications about organizational security, external IR engagement with limited nonprofit budget
NPC Conflicts: Gala revenue preservation (Maria), volunteer morale and retention (David), donor relationship protection (Rebecca), resource constraints and technical limitations (Mike)
Round 3: Gala Execution & Long-Term Nonprofit Security (35-45 minutes)
Final Phase: Gala proceeds or is disrupted based on player decisions, post-event donor concerns emerge or are addressed, long-term volunteer security policies developed
Strategic Planning: Volunteer system security architecture, donor data protection programs, grant funder cybersecurity compliance, nonprofit security culture with limited resources
Outcome Scenarios: Successful gala with comprehensive donor protection, compromised gala with donor withdrawal, or partial success with mixed community response and funding impact
Advanced Challenge Materials (150-170 min, 3+ rounds)
Advanced Modifications
Ambiguity: Legitimate nonprofit software updates, volunteer productivity issues from unrelated causes, donor concerns about general organizational competence vs. specific security incident
Stakeholder Unreliability: Maria concealing funding crisis affecting security investment, David protecting specific key volunteers despite security risks, Rebecca filtering donor complaints to preserve gala participation, Mike overconfident about volunteer technical capabilities
Compressed Timeline: Gala in 24 hours, major donors arriving for pre-event meetings during investigation, board emergency meeting requiring incident briefing mid-response
Ethical Dilemmas: Donor notification probabilities with uncertain database exposure, volunteer support obligations when resources limited, gala cancellation decision with funding implications for community services
Consequence Scenarios: False positive volunteer disruption affecting gala preparation, delayed notification resulting in donor fraud, inconsistent messaging eroding nonprofit community trust, grant funders questioning organizational cybersecurity maturity
[Comprehensive debrief covering nonprofit-specific security challenges, resource-constrained decision-making, donor trust management, volunteer coordination, and charitable organization incident response complexity]