Large Group Artifacts: Noodle RAT – Biotech Research Surveillance
Team-specific evidence cards for Multi-Team Coordination format (12-15+ players). Print all cards, sort by team and tier, and keep face-down until the release point for each round. One set per team – do not mix teams.
Organization: GenVista Therapeutics (US). Adapt names for other regions.
Tier 1 – Initial Indicators
Release at start of Round 1
Alpha x2 – Bravo x2 – Charlie x2
Type: EDR memory scan alert Source: Endpoint telemetry, RES-WS-047, Monday 08:52 UTC
EDR Alert -- Process Memory Anomaly [CRITICAL]
Timestamp : 2026-03-09 08:52:14 UTC
Host : RES-WS-047
User : analyst.p (interactive session active)
Parent PID: 1824 Parent name: explorer.exe
Alert : Unsigned reflective DLL injected into parent address space
Disk hit : NONE -- no dropped file, no temp artifact
Module cap: keylogger | clipboard capture | encrypted outbound | file staging
C2 conn : 198.51.100.87:443 state=ESTABLISHED bytes_out=2,847
--- Secondary alert (same signature) ---
Timestamp : 2026-03-09 08:54:07 UTC
Host : RES-WS-051
User : researcher.j (interactive session active)
Parent PID: 3301 Parent name: explorer.exe
Same injection pattern. Same destination IP. Separate session.
AV scan result on both hosts: CLEAN (no file-based detections)
Registry check: No new Run keys, no scheduled tasks (standard persistence absent)Analysis direction: Memory-resident implant with no disk footprint. Standard file-based forensics will find nothing. Volatile memory must be captured before any reboot – it is the only evidence of how this got in.
Type: Windows Security Event Log – LSASS access Source: Security event logs, RES-WS-047 and GVT-DC-01, past 6 weeks
--- LSASS Access (Event ID 4656) ---
Timestamp : 2026-01-26 03:14:22 UTC
Host : RES-WS-047
Process : explorer.exe (PID 1824)
Access : 0x1010 (PROCESS_VM_READ | PROCESS_QUERY_INFORMATION)
Target : lsass.exe (PID 644)
Result : SUCCESS
--- Subsequent domain auth events (GVT-DC-01 event log) ---
2026-01-27 02:01:14 UTC researcher.j NTLM RES-WS-047 → RES-FS-001 (CIFS/SMB)
2026-02-03 01:47:09 UTC svc.backup NTLM RES-WS-047 → RES-FS-001 (CIFS/SMB)
2026-02-11 00:33:41 UTC researcher.j NTLM RES-WS-047 → LIMS-SRV-01 (HTTP)
2026-02-20 03:22:17 UTC researcher.j NTLM RES-WS-051 → RES-FS-001 (CIFS/SMB)
2026-03-02 02:15:55 UTC svc.backup NTLM RES-WS-047 → RES-FS-001 (CIFS/SMB)
Normal session hours for analyst.p: 08:00--18:00 UTC (recorded badge data)
All above events occurred between 00:33 and 03:22 UTCAnalysis direction: LSASS was read on January 26. Credentials from analyst.p’s session were used to access systems she does not have rights to. The implant harvested credentials and used them laterally – with no corresponding login from her physical workstation.
Type: Edge firewall log – long-range lookback Source: Perimeter firewall, 45-day query, RES-WS-047 outbound
Firewall: GVT-EDGE-FW-01 Query window: 2026-01-24 to 2026-03-09
Source filter: 10.10.50.47 (RES-WS-047) Destination: 198.51.100.87:443
First observed:
2026-01-24 14:11:03 UTC 10.10.50.47 → 198.51.100.87:443 SYN 1.2KB (initial callback)
2026-01-24 18:11:07 UTC 10.10.50.47 → 198.51.100.87:443 ACK 0.3KB (beacon)
2026-01-24 22:11:04 UTC 10.10.50.47 → 198.51.100.87:443 ACK 0.3KB (beacon)
[Pattern continues at ~4-hour intervals for 44 days]
Total beacon count : 642 events (Jan 24 -- Mar 9)
Avg interval : 3h 58m
Payload range : 0.2KB -- 0.4KB per beacon (consistent keep-alive profile)
Notable large transfers:
2026-01-27 02:01 UTC 10.10.50.47 → 198.51.100.87:443 1.84MB (session 1 exfil)
2026-02-03 01:47 UTC 10.10.50.47 → 198.51.100.87:443 2.11MB (session 2 exfil)
2026-03-07 08:51 UTC 10.10.50.47 → 198.51.100.87:443 2.80MB (final burst -- largest)
Domain: research-analytics-cdn.net Registered: 2025-12-14 TLS issued: 2025-12-15
No threat intel match at time of initial contact. ASN: AS14061 (DigitalOcean, SG)Analysis direction: 642 beacon entries = persistent, automated check-in for 6 weeks. The 2.8MB transfer on Monday morning is the final staging burst – not the start of the operation. This has been running since January 24.
Type: File server access log Source: RES-FS-001 audit log, 45-day lookback
Server : RES-FS-001 Share audit enabled: YES
Lookback : 2026-01-24 to 2026-03-09 After-hours window: 20:00--07:00 UTC
Affected shares:
\\RES-FS-001\TrialData (Phase III datasets)
\\RES-FS-001\ModelingOutputs (dose-response and efficacy models)
Top access events by file count (after-hours only):
2026-01-27 02:01 UTC researcher.j 1,847 file reads src=10.10.50.47 (RES-WS-047)
2026-02-03 01:47 UTC svc.backup 2,113 file reads src=10.10.50.47 (RES-WS-047)
2026-02-11 00:33 UTC researcher.j 941 file reads src=10.10.50.47 (RES-WS-047)
2026-02-20 03:22 UTC researcher.j 1,204 file reads src=10.10.50.51 (RES-WS-051)
2026-03-02 02:15 UTC svc.backup 1,589 file reads src=10.10.50.47 (RES-WS-047)
Total files accessed across 5 sessions : 7,694
Write events in the same window : 0
Delete events in the same window : 0
Source IP note: svc.backup server address is 10.10.60.12 (admin VLAN).
All above svc.backup authentications originate from 10.10.50.47 -- research VLAN.Analysis direction: File access is coming from workstations, not servers. Someone used stolen credentials to access the trial repository from compromised research endpoints. Five separate collection sessions over 6 weeks.
Type: Chief Science Officer situation report Source: Dr. Andrea Chen, 09:15 UTC
Active trial datasets on affected file server (\\RES-FS-001\TrialData):
| Dataset | Accessed by implant | Submission role |
|---|---|---|
| Phase III efficacy summaries (oncology) | Yes | Primary FDA submission data |
| Dose-response modeling outputs | Yes | Required regulatory appendix |
| Interim safety data (immunotherapy) | Yes | Required safety narrative |
| Biomarker correlation files | Under review | Competitive differentiator |
| Raw patient-level data (de-identified) | Under review | HIPAA-aligned, unconfirmed |
Submission deadline: Thursday 3:30 PM UTC (FDA electronic filing window closes)
CSO note: Phase III efficacy summaries are the core of the NDA submission package. If those files were altered – even a single data point – the submission cannot proceed without full re-audit. If they were read-only, the submission can go forward with a voluntary disclosure attached.
Analysis direction: It is Monday morning with less than 80 hours to submission. The CSO cannot certify data integrity until forensics confirms whether accessed files were read-only or modified. That question needs an answer before any filing decision can be made.
Type: CEO and General Counsel briefing note Source: Dr. Sarah Mitchell (CEO) + Legal, 09:20 UTC
GenVista Therapeutics is pre-IPO with a $2 billion valuation tied directly to Phase III results. Current exposure:
| Stakeholder | Obligation | Clock | Current status |
|---|---|---|---|
| Partner A (pharma co-development) | 48-hour breach notification | Arguably running | Pending legal review |
| Partner B (licensing agreement) | 48-hour breach notification | Arguably running | Pending legal review |
| IRB oversight board | 5 business days if participant data involved | Not yet started | Scope unconfirmed |
| FDA | Voluntary disclosure before filing | Before Thursday | Draft not started |
| Pre-IPO investors | Material adverse event clause | Legal threshold unclear | Counsel reviewing |
CEO note: The roadshow deck issued last month cited data integrity as a key valuation anchor. If that representation becomes false – or if the breach surfaces publicly before we disclose – the legal exposure expands significantly beyond the notification obligations above.
Partner agreements define “confirmed breach” as any unauthorized access to contracted data assets. The RES-FS-001 access logs arguably meet that threshold without forensics needing to complete.
Analysis direction: The business risk is not just this submission – it is whether the company can certify to investors, partners, and regulators that its crown-jewel data was not stolen by a state-sponsored actor. That certification requires forensic certainty the team does not yet have.
Tier 2 – Deep Analysis
Release at start of Rounds 2 and 3 (3 cards per team)
Alpha x3 – Bravo x3 – Charlie x3
Type: Memory forensic analysis Source: IR team, RES-WS-047 memory dump taken 09:35 UTC
Image file : RES-WS-047_20260309_0935.raw Size: 16.0 GB
Tool : WinPmem 4.0 via IR USB kit
Integrity : SHA-256 verified pre/post acquisition
--- Injected module (extracted from explorer.exe PID 1824) ---
Module name : [NONE -- no PE header, reflective loader]
Inject method : Process hollowing via Windows loader abuse
Capabilities :
[1] Keylogger -- captures keystrokes + active window title
[2] Clipboard monitor -- copies clipboard content on each change
[3] File stager -- reads target files, encrypts to in-memory buffer
[4] C2 reverse shell -- HTTPS to 198.51.100.87:443 with custom XOR+AES-128
[5] Reinjector -- if parent process exits, re-injects into next explorer.exe
C2 protocol: TLS 1.3, certificate pinned, SNI = research-analytics-cdn.net
Beacon interval: 14,400s (~4h) Command poll: every beacon
Key material: Ephemeral per-session (no hardcoded key in image)
Malware family match: NoodleRAT v2 (JPCERT/CC signature DB, confidence HIGH)
Disk artifact found: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value name : GVTUpdate
Value data : C:\Windows\Temp\gvtupd.exe (stub loader, 24KB, signed-looking)Analysis direction: The one persistence artifact is GVTUpdate in the Run key. Everything else is in memory. If the machine reboots without first being imaged, the injected module disappears – but the Run key re-executes a loader that re-injects it. The disk artifact is a dropper stub, not the payload.
Type: Email gateway + web proxy correlation Source: Email gateway logs and endpoint browser history, RES-WS-047
--- Email gateway log (GVT-MAIL-GW-01) ---
2026-01-24 14:04:37 UTC RECEIVED
From : research-portal@clinicaltrials-update.net
To : analyst.p@genvistatherapeutics.com
Subject : Phase III milestone portal -- credential refresh required
Body : [text/html] 1,847 bytes Attachment: NONE
SPF : PASS (domain resolves to 198.51.100.87)
DKIM : PASS (self-signed, domain-issued 2026-01-21)
AV scan : CLEAN (no attachment, no malicious URL pattern matched)
Action : DELIVERED
--- Endpoint browser history (RES-WS-047 Chrome profile) ---
2026-01-24 14:07:22 UTC analyst.p opens email link
URL : hxxps://clinicaltrials-update.net/refresh?token=[186-char base64]
Resolved: 198.51.100.87 (same ASN as C2 infrastructure)
Content : Credential prompt, GenVista branding replicated
Cert : Let's Encrypt, issued 2026-01-21 (3 days post-domain registration)
2026-01-24 14:09:11 UTC Form submission detected (POST to same IP)
Likely content: analyst.p credentials (GenVista SSO format)
2026-01-24 14:11:03 UTC First C2 beacon from RES-WS-047
(119 seconds after credential submission)Analysis direction: Spear-phishing of analyst.p with a domain crafted specifically for this operation, registered 3 days before use. The attacker researched GenVista’s Phase III timeline. This is targeted, not opportunistic.
Type: Forensic timeline – 6-week reconstruction Source: Combined endpoint, file server, and network logs
Full intrusion timeline -- GenVista Therapeutics
(reconstructed from endpoint, file server, firewall, and DC logs)
2026-01-21 clinicaltrials-update.net registered (attacker prep)
2026-01-24 analyst.p phished -- implant deployed to RES-WS-047
First C2 beacon: 14:11 UTC
2026-01-25 RES-WS-051 (researcher.j) infected via lateral NTLM pass
2026-01-26 LSASS memory read on RES-WS-047 at 03:14 UTC
Credentials harvested: analyst.p, researcher.j, svc.backup
2026-01-27 Session 1: 1,847 files read from TrialData (02:01 UTC)
2026-01-28 RES-WS-062 (analyst.r) beacon pattern confirmed -- 3rd host
2026-02-03 Session 2: 2,113 files via svc.backup credentials (01:47 UTC)
2026-02-11 LIMS-SRV-01 accessed -- lab result correlation data queried
2026-02-20 Session 3: 1,204 files from RES-WS-051 (03:22 UTC)
2026-03-02 Session 4: 1,589 files via svc.backup credentials (02:15 UTC)
2026-03-07 Session 5: ~1,900 files estimated from final burst pattern
2026-03-09 Final C2 burst: 2.80MB at 08:51 UTC
Total estimated data exfiltrated (5 confirmed sessions) : ~14.3 GB
Unique files accessed across all sessions : ~7,700
Hosts confirmed compromised : 3 (WS-047, WS-051, WS-062)
Dwell time from first implant to detection : 44 daysAnalysis direction: The attacker had 6 weeks to collect, index, and understand GenVista’s trial data. Five structured collection sessions suggest deliberate selection, not bulk scraping. The final burst on Monday morning may indicate the operation is concluding – or preparing for the next phase.
Type: Threat intelligence + infrastructure pivot Source: External TI partner + passive DNS analysis, shared 10:30 UTC
Primary C2: 198.51.100.87
ASN : AS14061 (DigitalOcean, Singapore region)
PTR : research-analytics-cdn.net
TLS cert : Let's Encrypt wildcard *.research-analytics-cdn.net (issued 2025-12-15)
First seen: 2025-12-15 (passive DNS)
Domain cluster (passive DNS pivot from same registrar/ASN bloc):
research-analytics-cdn.net registered 2025-12-14 (C2 primary)
clinical-data-portal.net registered 2025-12-18 (staged, no active traffic)
biotech-submission-cdn.net registered 2026-01-09 (staged, no active traffic)
clinicaltrials-update.net registered 2026-01-21 (used for GenVista phish)
Registrar data: All four domains registered via privacy proxy, same registrar,
payment method consistent (TI vendor assessment -- confidence medium).
JPCERT/CC attribution:
Infrastructure cluster matches NoodleRAT operator tooling (HIGH confidence)
Prior victims: 3 US biotech firms, 1 EU pharmaceutical company (2024-2025)
Typical targeting: Phase II/III trial data, dose-response models, biomarkers
Operator motive assessed: Competitive intelligence for state-backed pharma programs
Current status of staged domains: No active traffic -- may indicate future operations
or domains prepared for other targets.Analysis direction: Four domains, all biotech-themed, registered in a 5-week window before this operation. The attacker built purpose-specific infrastructure targeting clinical research organizations. GenVista was selected, not random.
Type: Network architecture review Source: IT Infrastructure team, 11:00 UTC
Network map -- GenVista Therapeutics research environment
VLAN 50 -- Research (10.10.50.0/24)
Hosts : RES-WS-047, RES-WS-051, RES-WS-062, RES-WS-031, RES-FS-001
Egress : Firewall to internet -- port 443 UNRESTRICTED (any destination)
East-West: Firewall to VLAN 60 -- Kerberos (88), LDAP (389), SMB (445) PERMITTED
East-West: Firewall to VLAN 70 -- HTTP (80), HTTPS (443) PERMITTED
VLAN 60 -- Admin / Identity (10.10.60.0/24)
Hosts : GVT-DC-01, svc.backup server (10.10.60.12), IT mgmt systems
Access from VLAN 50: AS ABOVE (Kerberos/LDAP/SMB permitted inbound)
VLAN 70 -- LIMS (10.10.70.0/24)
Hosts : LIMS-SRV-01 (lab information management system)
Access from VLAN 50: HTTP/HTTPS permitted inbound
Monitoring status:
Outbound HTTPS from VLAN 50 : NO inspection (TLS not terminated at proxy)
DNS queries from VLAN 50 : Direct to ISP resolver -- NO logging
After-hours file access alerts : NOT configured on RES-FS-001
Lateral movement detection : NOT configured between VLANsAnalysis direction: The C2 channel survived 6 weeks because outbound HTTPS from the research VLAN is unrestricted. There was no behavioral baseline to flag 642 beacons as anomalous. The architecture prioritized researcher convenience over outbound inspection.
Type: Endpoint compromise assessment Source: IR team sweep, all research VLAN hosts, 11:30 UTC
Research VLAN sweep results -- 11:30 UTC Monday
Host | User | Beacon? | Sessions | Files accessed | Action taken
-------------|--------------|---------|----------|-----------------------|-------------
RES-WS-047 | analyst.p | YES 44d | 2 (exfil)| TrialData, ModelingOut| ISOLATED 10:15 UTC
RES-WS-051 | researcher.j | YES 44d | 2 (exfil)| TrialData, LIMS-SRV-01| ISOLATED 10:17 UTC
RES-WS-062 | analyst.r | YES 40d | 1 (exfil)| ModelingOutputs only | ISOLATED 10:22 UTC
RES-WS-031 | researcher.m | NO | 0 | No anomalous access | Cleared 11:10 UTC
RES-WS-018 | lab.admin | NO | 0 | No anomalous access | Cleared 11:15 UTC
File server assessment:
RES-FS-001: No implant detected. Accessed via stolen credentials only.
File server OS and processes appear clean.
Share audit log intact and unmodified.
Domain controller assessment:
GVT-DC-01: No implant detected. LSASS not accessed on DC directly.
Domain admin credentials (DA tier) not harvested -- HIGH CONFIDENCE.
Recommendation: Privileged account audit before declaring clean.
LIMS server assessment:
LIMS-SRV-01: No implant. Accessed by implant via stolen credentials 2026-02-11.
Lab result audit: 2,847 records flagged for review. IN PROGRESS.Analysis direction: The good news: domain admin credentials appear clean and RES-FS-001 is uncompromised. The bad news: LIMS-SRV-01 was accessed by the implant and requires a full audit before lab result integrity can be confirmed.
Type: Regulatory compliance assessment Source: CISO David Torres + Regulatory Affairs, 11:00 UTC
FDA 21 CFR Part 11 requirements for electronic records in clinical submissions:
- Submitted data must be traceable to original source records with an unbroken audit trail
- Any cybersecurity incident affecting trial data systems requires disclosure in the submission cover letter
- “Data integrity certification” can be withdrawn post-submission if a breach is later discovered – triggering a retroactive re-audit obligation
- Hash verification of submitted files is an accepted method of demonstrating read-only access
| Dataset | Accessed | Read-only confirmed | Hash baseline exists | Certifiable now |
|---|---|---|---|---|
| Efficacy summaries | Yes | Unknown | Yes (pre-incident) | No |
| Dose-response models | Yes | Unknown | Yes | No |
| Safety narratives | Yes | Likely (no writes) | Yes | Conditional |
| Raw patient data | Under review | Unknown | Partial | No |
| LIMS lab results | Yes | Unknown | No | No |
Regulatory Affairs note: The hash baselines that exist were created as part of the routine submission package preparation. Hash verification against those baselines is an available method for demonstrating file integrity. The file server access logs record read/write/delete events separately – forensic review of that log determines whether access was read-only.
Analysis direction: GenVista cannot certify submission integrity until forensics confirms that accessed files were read and not modified. A forged efficacy result in a Phase III submission is an FDA fraud issue. The team needs a clear answer to “were these files changed?” before Thursday.
Type: Legal analysis Source: General Counsel, 11:30 UTC
| Obligation | Triggering event | Deadline | Current status |
|---|---|---|---|
| Partner A notification (pharma co-dev) | Unauthorized access to contracted data | 48 hours | Clock likely running |
| Partner B notification (licensing) | Unauthorized access to contracted data | 48 hours | Clock likely running |
| IRB notification | Participant data involved in incident | 5 business days | Scope unconfirmed |
| FDA voluntary disclosure | Submission integrity affected | Before Thursday filing | Draft in progress |
| SEC-equivalent disclosure (pre-IPO) | Material adverse event threshold | Legal threshold unclear | Counsel reviewing |
Key legal finding: Partner agreements define “confirmed breach” as “any unauthorized access to data assets covered under this agreement.” The file server access logs show authenticated reads of TrialData and ModelingOutputs using non-authorized credential paths.
Legal recommendation: Issue partner notifications by Tuesday 11:30 UTC with holding language (“scope under active investigation, full report within 14 days”).
Analysis direction: The 48-hour clock on partner notification is not gated on forensic completion – it runs from “confirmed breach,” which arguably started when the file access logs were reviewed this morning. The legal team needs a briefing decision now, not after forensics finishes.
Type: Executive decision brief Source: CEO + CISO + Regulatory Affairs, 12:00 UTC
Option A – Proceed with submission Thursday (conditional):
- Requires: Forensic confirmation that efficacy and safety files were not modified
- Requires: Voluntary breach disclosure in FDA cover letter
- Requires: Hash verification documentation attached to submission package
- Risk: FDA may request data re-audit after submission (precedent: rare but possible)
- Investor impact: Disclosed breach; submission proceeds on schedule
Option B – Delay submission (request 30-day FDA extension):
- Mechanism: FDA administrative extension request (filing deadline only, not review clock)
- Advantage: Submit with fully certified integrity, no conditional language
- Risk: Extension requests are logged in public FDA dockets; signals instability to pre-IPO investors
- Deadline: Extension request must be submitted by Wednesday 5 PM UTC to take effect
- Cost: 30-day delay to submission; 30-day delay to FDA review initiation
Option C – Withdraw and refile:
- Trigger: Only if forensics confirms data modification
- Timeline: Minimum 90 days to refile
- Financial impact: Likely triggers investor agreement default clauses
Decision authority: CEO + Board Chair Decision deadline: Wednesday 3 PM UTC (latest point that still allows Option B)
Analysis direction: The IR team cannot make this call – but they own the most important input: was the data modified? Every hour of forensic delay narrows the decision space. Getting a definitive read/write determination from memory forensics is the single highest-priority technical task.
Tier 3 – Developments
Release at start of Rounds 4 and 5 (2 cards per team)
Alpha x2 – Bravo x2 – Charlie x2
Type: Digital forensics verdict Source: IR team forensic lead, 14:00 UTC
Forensic report -- RES-WS-047 memory image analysis
Analyst : IR forensic lead
Completed : 2026-03-09 14:00 UTC
Confidence : HIGH
-- Memory staging buffer reconstruction --
Buffer location : 0x7FF40000 -- 0x7FF9FFFF (in-memory, not paged to disk)
Content type : Encrypted archive (XOR+AES-128, key recovered from memory image)
Decrypted index : 847 file entries confirmed (matches share access log subset)
File operation audit (all 847 entries):
READ operations : 847 (100%)
WRITE operations : 0 (0%)
DELETE operations: 0 (0%)
RENAME operations: 0 (0%)
File hash comparison (against pre-incident submission baseline):
Baseline available : 847 of 847 files
Hash match (PASS) : 847 of 847 files
Hash mismatch (FAIL): 0
RES-FS-001 source file metadata cross-check:
Last-modified timestamps: UNCHANGED on all 847 sampled files
ACL modification events : NONE detected in audit log
CONCLUSION: Attacker READ and COPIED trial data.
No evidence of modification, injection, deletion, or tampering.Analysis direction: The data was stolen, not altered. This is decisive for the submission decision – GenVista can certify that the submitted efficacy results reflect actual trial outcomes. The breach disclosure must still happen, but the integrity concern is resolved.
Type: Remediation status report Source: IR team, 15:30 UTC
Remediation status -- 15:30 UTC Monday
Completed actions:
[x] Memory images captured (all 3 hosts) before any intervention
[x] NoodleRAT v2 implant documented (JPCERT/CC signature confirmed)
[x] GVTUpdate Run key removed (HKLM\...\Run) on RES-WS-047, -051, -062
[x] gvtupd.exe stub deleted from C:\Windows\Temp\ (all 3 hosts)
[x] Hosts wiped and reimaged from gold image (2026-02-01 baseline)
[x] analyst.p, researcher.j, analyst.r passwords reset + MFA enforced
[x] svc.backup service account disabled pending audit (ticket: OPS-4471)
[x] C2 IP 198.51.100.87 blocked at GVT-EDGE-FW-01 (all ports)
[x] Domains blocked at DNS: research-analytics-cdn.net,
clinicaltrials-update.net, clinical-data-portal.net,
biotech-submission-cdn.net (full known cluster)
In progress:
[ ] LIMS-SRV-01 lab record audit: 847 of 2,847 records reviewed (30%)
[ ] Privileged account audit on GVT-DC-01: not yet started
[ ] svc.backup account formal review (access rights, rotation schedule)
Remaining risk:
GVT-DC-01: Clean (no implant found). Domain should be treated as
enumerated until privileged account audit completes. AD replication
logs show no unusual activity, but enumeration may leave no trace.Analysis direction: The three workstations are clean. The open question is LIMS-SRV-01 – if any lab result linked to a submission dataset was touched, that extends the integrity scope.
Type: Security architecture recommendation Source: IT Infrastructure + CISO, 14:30 UTC
Root cause analysis -- detection failure
Primary factor: Unrestricted outbound HTTPS from 10.10.50.0/24
C2 traffic profile that evaded detection:
Protocol : HTTPS (TLS 1.3, certificate pinned to custom CA)
Port : 443 (standard)
SNI : research-analytics-cdn.net (plausible CDN name)
Beacon size: 0.2--0.4KB per event (consistent with API poll traffic)
Interval : 14,400s (~4h, not flagged by volume anomaly)
Duration : 44 days with zero alerts generated
Proposed emergency controls (for leadership approval):
Control | Current | Proposed
--------------------------|-------------------|---------------------------
Outbound HTTPS (VLAN 50) | Unrestricted | Proxy-inspected + allowlist
DNS from VLAN 50 | Direct to ISP | Internal resolver + logging
After-hours file reads | No alert | Alert >100 reads 20:00--07:00
VLAN 50 → VLAN 60 lateral | SMB/Kerberos free | MFA-gated jump server
TLS inspection capability | None | SSL inspection proxy (Phase 2)
Researcher impact: Allowlisted HTTPS requires whitelist requests for new
scientific databases (est. 3--5/week based on usage analysis). 24h turnaround.
Outage risk during implementation: LOW (proxy insertion, not firewall rebuild).Analysis direction: The architects are proposing a trade: researcher convenience for detection capability. The question for leadership is whether 6 weeks of invisible state-sponsored access changes their risk tolerance for that trade.
Type: FBI Cyber Division threat briefing Source: FBI liaison (shared at request of CISO David Torres), 15:00 UTC
FBI Cyber Division -- Threat briefing to GenVista Therapeutics
Classification: TLP:AMBER (recipient organization only)
Date: 2026-03-09
NoodleRAT operator -- known campaign pattern (2024-2025):
Confirmed victims (anonymized per FBI protocol):
Victim 1 (US biotech): Phase II data stolen 6 weeks before EMA submission
Victim 2 (US biotech): Phase III efficacy data, 2 weeks before FDA filing
Victim 3 (US biotech): Dose-response models only, no filing disruption
Victim 4 (EU pharma): Pre-clinical dataset + partnership term sheets
Attack pattern constants across all 4 victims:
Initial access : Spear-phish targeting research staff (100%)
Dwell time : 35--58 days (GenVista: 44 -- within normal range)
Data targeted : Phase II/III efficacy, dose-response, biomarker (all cases)
C2 method : Custom HTTPS implant, memory-resident (all cases)
Detection method: None of prior 4 victims self-detected before exfil complete
GenVista note : Detected earlier than any prior victim (EDR memory scan)
FBI post-incident tracking:
All 4 prior victims' data observed in suspected state-backed research outputs
Average time from theft to surfacing: 12--18 months post-exfiltration
Advance warning provided to victims who reported to FBI: YES (in 2 of 4 cases)
FBI recommendation: File formal report to enable tracking and advance notification.
Contact: FBI Cyber Division field office (CISO has direct contact)Analysis direction: GenVista’s data will likely surface in a competitor’s research within 1-2 years. FBI recommends reporting to enable tracking – and notes that all prior victims who reported have received advance warning of publication timing.
Type: Regulatory communication draft Source: Regulatory Affairs + Legal, 15:00 UTC
Draft cover letter disclosure language for Thursday submission:
“GenVista Therapeutics discloses a cybersecurity incident affecting research information systems during the period January 24 through March 7, 2026. Independent forensic analysis confirmed that clinical trial efficacy data files were accessed without authorization by an external threat actor. No evidence of data modification, insertion, deletion, or tampering was identified. Hash verification of all 847 submission-relevant files against pre-incident baselines confirms integrity. The incident has been reported to the FBI Cyber Division. A complete forensic report is available upon FDA request.”
FDA Office of Pharmaceutical Quality precedent research:
| Year | Incident type | Disclosure | Outcome |
|---|---|---|---|
| 2023 | Unauthorized read access, efficacy data | Proactive + hash verification | Accepted, no re-audit |
| 2022 | Unauthorized read access, safety narratives | Proactive + forensic summary | Accepted, no re-audit |
| 2021 | Suspected modification (unconfirmed) | Proactive | Accepted, re-audit requested |
Legal counsel assessment: Disclosure language reviewed and approved by Regulatory Affairs – no further legal hold pending.
Analysis direction: The disclosure language is ready. The forensic team’s hash verification work is the document that makes it stand up. This is the concrete output that connects the technical investigation to the submission decision.
Type: Partner relationship status Source: Business Development + CEO, 16:00 UTC
Partner notifications sent Tuesday 10:45 UTC per legal recommendation. Current responses:
Partner A (large pharma co-development agreement):
“We acknowledge receipt of your notification dated March 10, 2026. We require a complete forensic summary within 14 days. Pending completion of our internal review, co-development activities may be subject to temporary pause under Section 12.4 of the Master Co-Development Agreement. We are not making a determination at this time and remain committed to the partnership subject to satisfactory resolution.”
Partner B (licensing agreement, pre-clinical data):
“Noted and acknowledged. Our data assets under the licensing agreement – specifically the pre-clinical Series A cohort datasets – do not appear to fall within the affected file shares per your description. We reserve the right to conduct an independent audit. No immediate action is being taken.”
Board Chair briefed: Tuesday 09:00 UTC Board emergency session scheduled: Wednesday 17:00 UTC (submission decision + partner status review)
Analysis direction: Partner A’s “pause” language is the live business risk. Section 12.4 is likely a material adverse change clause – Legal needs to assess whether it has been triggered and what cure options exist. The 14-day forensic summary deadline is achievable.
IM Distribution Guide
| Card | Release round | Hand to |
|---|---|---|
| All Tier 1 cards (6 total) | Start of Round 1 | Alpha x2, Bravo x2, Charlie x2 |
| Alpha Deep 1-2, Bravo Deep 1-2, Charlie Deep 1-2 | Start of Round 2 | Respective teams |
| Alpha Deep 3, Bravo Deep 3, Charlie Deep 3 | Start of Round 3 | Respective teams |
| All Development cards (6 total) | Start of Round 4 | Respective teams |
| Alpha Dev 2, Bravo Dev 2, Charlie Dev 2 (extended) | Start of Round 5 | Respective teams |
IC note: The IC receives no artifacts directly. Teams brief the IC based on their findings. IC pressure comes from cross-team coordination, not IM-distributed materials.
Key coordination moment: Alpha’s Development 1 (read-only confirmation) is the unlock for Charlie’s submission decision. Ensure teams are briefing the IC between Rounds 3 and 4 so the IC can push the submission question before Development cards are released.
Link to scenario card: Noodle RAT Biotech Research | Prep worksheet: Large Group Prep Worksheet