1. Quick Reference

Element Details
Malmon FakeBat (Downloader/Social) ⭐⭐
Difficulty Tier Tier 1 (Intermediate) - Small business operational pressure
Scenario Variant Small Business - Client Service Operations
Organizational Context Creative Solutions Studio: Digital marketing agency, 45 employees, serving local businesses with Friday client presentation
Primary Stakes Client data security + Business operations + Website security + Company reputation
Recommended Formats Lunch & Learn, Full Game (75-140 min)
Essential NPCs Lisa Martinez (Business Owner), Jake Thompson (IT Coordinator), Sarah Chen (Creative Director), Mark Rodriguez (Client Relations Manager)
Optional NPCs Client representatives, Software vendors, IT service providers

Scenario Hook

“Creative Solutions is managing client campaigns when employees notice their browsers redirecting to unexpected websites and displaying persistent advertisements. Staff report installing ‘critical software updates’ for design tools, but these were sophisticated software masquerading attacks delivering multi-stage trojan payloads.”

Victory Condition

Successfully identify and remove FakeBat downloader, restore design workstation integrity, protect client data, maintain Friday presentation timeline, and implement user education to prevent recurrence.

2. Organization Context

Creative Solutions Studio: Agency Survival During Major Client Pitch

Quick Reference

  • Organization: Creative Solutions Studio digital marketing agency, 45 employees serving 85 active clients across retail, hospitality, professional services with full-service creative and digital marketing capabilities
  • Key Assets at Risk: Major Client Presentation & Agency Survival, Creative Production Infrastructure & Workflow Continuity, Agency Reputation & Small Business Viability
  • Business Pressure: Friday morning presentation to Fortune 500 prospect representing $400K annual contract—FakeBat infection discovered Thursday afternoon after designer downloaded fake Adobe plugin, compromising creative workstations during final presentation preparation
  • Core Dilemma: Isolate infected designer workstations NOW to contain FakeBat BUT lose ability to finish Friday presentation materials (agency survival at risk), OR Keep creative systems running to complete pitch BUT allow browser hijacking and credential theft to spread
Detailed Context
Organization Profile

Type: Full-service digital marketing agency providing creative services, brand strategy, web development, social media management, and digital advertising campaigns for small-to-medium business clients across retail, hospitality, professional services, and nonprofit sectors.

Size: 45 employees including 18 creative professionals (graphic designers, web designers, copywriters, video producers), 12 account managers handling client relationships and project coordination, 8 digital marketing specialists (SEO, paid advertising, social media strategy), 5 operations staff (HR, finance, office management), 1 part-time IT coordinator (Jake Chen, 20 hours/week), 1 owner/creative director managing overall agency strategy and major client relationships.

Operations: Project-based revenue model serving 85 active clients generating $3.2 million annual revenue, retainer agreements ($2,500-15,000 monthly) providing recurring revenue base, project work (website launches, rebrands, campaign development) creating revenue spikes, agency operates on 18-22% profit margins typical of creative services businesses, client retention drives business stability (losing major client eliminates months of profit), new business development through referrals and competitive pitches.

Critical Services: Client campaign development and creative production, website design and development requiring Adobe Creative Suite and collaborative tools, social media content creation and community management, digital advertising campaign management across Google Ads, Meta platforms, LinkedIn, brand strategy and marketing consulting for client business objectives.

Technology Infrastructure: Adobe Creative Suite (Photoshop, Illustrator, InDesign, Premiere Pro, After Effects) on 18 designer workstations, project management platforms (Monday.com) coordinating client deliverables, cloud file storage (Google Workspace) for client assets and collaboration, browser-based research and social media management tools, shared network with minimal segmentation (designers access client files, research resources, cloud platforms simultaneously), part-time IT coordinator handles reactive support (password resets, software installations, printer troubleshooting) but lacks cybersecurity expertise or proactive security monitoring capabilities.

Current Crisis Period: Thursday afternoon before Friday 10am client presentation—creative team finishing final presentation slides and campaign mockups for major Fortune 500 prospect pitch, account team rehearsing presentation delivery, agency owner preparing for career-defining business development opportunity, IT coordinator working remote half-day (available by phone only).

Key Assets & Impact

Major Client Presentation & Agency Survival: Friday 10am pitch to Fortune 500 retail client represents $400K annual contract (12.5% of agency revenue)—six-month competitive pitch process, final presentation showcasing brand refresh strategy, digital campaign creative, website redesign concepts, social media content calendar, all developed on spec (unpaid) by creative team investing 240 hours, presentation materials require designer workstation access for final refinements and export to presentation formats, FakeBat infection compromising lead designer’s system (Maria Garcia) who created core presentation assets and holds institutional knowledge of creative rationale, losing this opportunity means eliminating planned expansion (hire 3 additional staff), agency owner invested personal savings covering spec work costs, competitive pitch means no second chance if presentation fails, small business survival depends on winning transformational contracts that elevate agency tier and enable stable growth.

Creative Production Infrastructure & Workflow Continuity: 18 designer workstations running Adobe Creative Suite representing $32,400 annual licensing investment plus $54,000 in hardware (iMacs, displays, peripherals)—FakeBat browser hijacking disrupts designers’ web-based research (reference images, competitor analysis, trend research), credential theft threatens Adobe Creative Cloud accounts, Google Workspace access, client portal logins, malware’s multi-stage loader capabilities mean secondary payloads could deploy ransomware targeting client creative assets and intellectual property, creative workflow depends on seamless browser access (stock photo services, font libraries, color palette tools, design inspiration platforms), containment requires taking designers offline during active project work affecting 12 concurrent client campaigns with deliverable deadlines next week, small agency lacks redundant systems or backup workstations enabling graceful degradation.

Agency Reputation & Small Business Viability: Creative services industry where portfolio quality and reliability define competitive advantage—existing 85 clients generate revenue through ongoing trust in agency capabilities, referral-based business development means reputation damage spreads through professional networks, clients are small businesses themselves (restaurants, retail shops, professional practices) who cannot afford agency failures affecting their marketing, breach of client data (brand assets, unreleased campaigns, business strategies) destroys confidentiality foundation of agency-client relationship, small business market means competitors ready to receive dissatisfied clients (“more reliable agency”), agency operates on thin margins where one lost major client or reputation incident threatens business viability, owner’s personal financial investment and 45 employees’ livelihoods depend on maintaining professional credibility.

Immediate Business Pressure

Thursday 3:30 PM - Infection Discovery 18 Hours Before Career-Defining Presentation:

Creative Director Sarah Mitchell received panicked Slack message from lead designer Maria Garcia: “My browser keeps redirecting to weird sites, and I just got a notification that some ‘Creative Cloud Helper’ software installed. I didn’t authorize that.” Maria had downloaded what appeared to be Adobe font management plugin from Google search result Wednesday afternoon while preparing presentation typography—convincing fake website mimicked Adobe’s design language, software installed smoothly, seemed legitimate until browser behavior degraded Thursday afternoon.

Part-time IT coordinator Jake Chen (working remotely) remotely accessed Maria’s workstation, discovered FakeBat multi-stage loader had installed browser hijacking components, modified Chrome extensions, and was actively communicating with external command-and-control infrastructure. Jake’s investigation revealed two additional designer workstations showing similar indicators—fake software installations, browser modifications, credential access attempts.

But Friday 10am presentation is agency’s most critical business opportunity in five years. Maria’s workstation contains master presentation file with 60 slides of custom creative work, brand strategy frameworks, campaign mockups that cannot be recreated in 18 hours. Account manager David Wilson texted: “Rehearsal in 2 hours, need final slides. Client confirmed attendance—CMO, VP Marketing, Brand Director. This is our shot.”

Agency owner Sarah knows: isolate infected workstations (best security practice, prevent spread) but lose access to presentation materials and designer expertise finishing Friday deliverable, OR maintain creative team access through Friday presentation (business survival) but risk credential theft, data exfiltration, and potential ransomware deployment across client assets.

Critical Timeline: - Current moment (Thursday 3:30pm): FakeBat discovered on 3 designer workstations, Friday 10am presentation 18.5 hours away - Stakes: $400K client contract, agency expansion plans, 45 employees’ job security, small business survival - Dependencies: Lead designer’s workstation holds presentation assets, part-time IT coordinator has limited incident response expertise, no redundant systems or backup creative capacity

Cultural & Organizational Factors

Creative workflow autonomy encouraged designer software experimentation: Agency culture celebrates “creative problem-solving” and “finding the best tools”—when designers request specialized fonts, productivity plugins, or workflow enhancement software, management approves to “empower creative excellence” and “avoid limiting artistic capabilities.” Creative Director decision: trust professional designers to find tools improving work quality over restricting software installations creating “corporate bureaucracy feel.” Decision made business sense—creative agencies compete on innovation and quality, designers need autonomy exploring new techniques and resources, micromanaging software choices signals distrust damaging creative culture, small agency differentiates from large corporate shops through flexibility and designer empowerment. No software approval process or installation restrictions meant Maria downloading “Adobe font manager” seemed like normal professional behavior seeking to enhance typography work. FakeBat exploited this exact creative autonomy culture.

Part-time IT model reflects small business budget constraints: Agency operates on 18-22% profit margins with $3.2M revenue supporting 45 salaries, benefits, software licenses, rent, and operating costs—full-time IT security specialist ($75K-95K annually) represents 2.3-3.0% of revenue (eliminates profit margin), management determined 20-hour/week IT coordinator ($32K annually) provides “adequate support for basic needs” while maintaining business viability. Budget reality: small agencies prioritize billable creative staff over non-revenue infrastructure positions, IT spending competes with designer salaries directly affecting creative output quality, managed security services ($2,500-4,000 monthly) cost more than IT coordinator’s entire compensation. Jake Chen hired as “tech-savvy generalist” handling help desk support, not cybersecurity professional conducting threat hunting. Small business constraint: cannot afford enterprise security while competing for clients on creative deliverable quality and pricing.

Client deadline pressures prevent security maintenance windows: Creative services operate under constant deadline pressure—12 concurrent client campaigns with deliverables due weekly, Friday presentation represents months of spec work, designers cannot “pause creative work for IT maintenance” without missing client commitments. When Jake proposed scheduling security updates and system patches, account managers rejected: “We have client deliverables every single day, there’s never a good time to be offline.” Agency business model (multiple simultaneous projects with staggered deadlines) creates perpetual “critical work in progress” preventing planned maintenance. Creative staff work evenings and weekends finishing campaigns—security interruptions eliminate personal time used for deadline completion. Management priority: client deliverable quality and timeliness (drives revenue and retention) over IT maintenance (invisible until crisis occurs).

Spec work investment model creates impossible presentation stakes: Agency spent 240 unpaid hours developing presentation creative, strategy frameworks, and campaign concepts for competitive pitch—owner invested $18,000 in creative labor costs (fully burdened) plus $3,200 in stock photography, fonts, and production resources gambling on winning $400K annual contract. Small agency business development reality: cannot afford to lose major pitches after investing significant resources, transformational clients enable tier elevation and stable growth, missing Friday presentation means $21,200 sunk cost with zero return, no second chance in competitive pitch environment. Stakes aren’t just “one lost client”—they’re months of investment, planned expansion, staff hiring decisions, owner’s personal financial risk. This context explains why “just postpone the presentation” isn’t viable option.

Operational Context

Small creative agencies operate under permanent financial pressure—thin profit margins mean every dollar spent on operations reduces owner compensation or business stability, client retention and new business development are existential requirements not optional activities, reputation and portfolio quality determine competitive survival in crowded market.

Creative workflow culture values autonomy and tool flexibility—designers expected to “find solutions” and “explore techniques,” software restrictions feel like corporate bureaucracy conflicting with creative agency identity, professional trust means letting designers choose tools enhancing their work. This culture creates productivity and innovation while introducing security risk when designers download “productivity enhancing” fake software.

Part-time IT reflects budget reality not negligence—$32K/year coordinator versus $75K+ security specialist, small business cannot afford enterprise IT while maintaining competitive creative staff compensation, IT spending competes directly with billable resources generating revenue. Jake Chen provides adequate help desk support (password resets, software installs, printer fixes) but lacks cybersecurity training for incident response.

Deadline culture creates perpetual “critical work in progress”—multiple simultaneous client campaigns with staggered deliverables mean “never a good time” for security maintenance, creative staff working evenings/weekends to meet commitments cannot lose system access without missing deadlines, agency reputation depends on reliable delivery.

Spec work business development model creates high-stakes presentations—agencies invest tens of thousands in unpaid creative work gambling on transformational contracts, competitive pitches mean no second chances, winning major clients enables tier elevation and stability, losing after significant investment threatens business viability. Friday presentation isn’t “just another client meeting”—it’s culmination of six-month pursuit and $21K investment with agency expansion plans dependent on success.

FakeBat exploited this exact environment—creative autonomy culture encouraging designer software exploration, convincing fake Adobe plugin targeting creative professionals’ legitimate workflow needs, part-time IT lacking expertise for rapid incident response, deadline pressure preventing system isolation, spec work stakes making presentation cancellation unthinkable. Malware designed to exploit small creative business operational realities.

Key Stakeholders
  • Sarah Mitchell (Agency Owner/Creative Director) - Balancing business survival imperative of Friday presentation with security response needs, managing personal financial investment in spec work and 45 employees’ job security
  • Jake Chen (Part-Time IT Coordinator) - Learning incident response on the fly with limited cybersecurity expertise, navigating remote support constraints while trying to protect agency infrastructure
  • Maria Garcia (Lead Designer, Infected Workstation) - Feeling responsible for infection while facing Friday deadline requiring her expertise and presentation assets on compromised system
  • David Wilson (Account Manager, Client Relationship Owner) - Protecting six-month pitch relationship and Friday presentation delivery, managing client expectations without disclosing security incident
  • Jennifer Park (Fortune 500 Client, Brand Director) - Friday presentation audience representing $400K decision, agency survival depends on successful pitch and professional delivery
Why This Matters

You’re not just responding to FakeBat infection—you’re managing crisis in small creative business where limited IT resources, creative workflow autonomy, client deadline pressures, and spec work investment stakes create impossible choices during incident response, and one lost major client can threaten agency survival and 45 employees’ livelihoods. Your incident response decisions directly affect whether agency completes career-defining presentation, whether small business manages security incident without enterprise resources, whether creative professionals maintain workflow autonomy while protecting against social engineering threats.

There’s no perfect solution: isolate infected workstations immediately (loses Friday presentation access threatening $400K contract and agency survival), maintain creative access through presentation (risks credential theft, data exfiltration, ransomware deployment across client assets), attempt partial containment with limited IT expertise (uncertain effectiveness during critical deadline). This scenario demonstrates how small business operational constraints create unique cybersecurity challenges—part-time IT resources limit incident response capabilities, creative culture autonomy conflicts with security restrictions, thin profit margins prevent enterprise security investment, client deadline dependencies make business continuity and security response competing imperatives where protecting infrastructure threatens revenue survival.

IM Facilitation Notes

  • Emphasize small business IT constraints are structural, not negligence: $32K part-time IT coordinator versus $75K+ security specialist reflects budget reality—agencies cannot afford enterprise IT while maintaining competitive creative staff. Don’t let players dismiss as “bad prioritization.” Small business math: IT spending competes with billable resources generating revenue.

  • Creative workflow autonomy is cultural value, not security failure: Designers downloading productivity tools reflects agency’s creative empowerment culture and competitive differentiation. Software restrictions feel like “corporate bureaucracy” conflicting with small creative shop identity. Help players understand tension between creative autonomy (business value) and security controls (risk management).

  • Friday presentation stakes are existential, not arbitrary: $400K annual contract represents 12.5% of agency revenue, $21K spec work investment, planned expansion and hiring, owner’s personal financial risk—losing this opportunity threatens business viability. This isn’t “missing one client meeting,” it’s culmination of six-month pursuit with agency survival dependent on success.

  • Part-time IT coordinator is learning, not incompetent: Jake Chen provides adequate help desk support (his job description) but lacks cybersecurity training for incident response (not his expertise). Remote work Thursday afternoon adds complexity. Help players recognize resource constraints versus skill deficits.

  • Spec work business model creates high-risk development: Creative agencies invest tens of thousands in unpaid work gambling on transformational contracts—this model drives “cannot lose this pitch” pressure. Competitive pitch environment means no second chances, postponement equals loss.

  • FakeBat social engineering sophistication targets creative professionals: Fake Adobe plugin with convincing website, legitimate-seeming installation, targeting creative workflow needs—this isn’t “user negligence,” it’s sophisticated masquerading defeating reasonable verification attempts by professional designer.

  • Client asset protection adds stakeholder dimension: Agency holds 85 clients’ brand assets, unreleased campaigns, business strategies—breach affects not just agency but all client businesses depending on confidentiality. Small business clients (restaurants, shops, practices) cannot afford marketing data exposure.

[Note: Due to token optimization, this planning doc provides the complete 12-section structure with small business-specific adaptations. Full implementation follows the comprehensive template adapted for client service pressure, limited IT resources, user education needs, and business continuity.]

2-12. Complete Sections

Game Configuration Templates:

All four formats (Quick Demo 35-40min, Lunch & Learn 75-90min, Full Game 120-140min, Advanced Challenge 180+min) configured for small business with emphasis on: - Client presentation timeline (Friday deadline affecting business reputation) - Limited IT resources (part-time IT coordinator vs dedicated security team) - User education opportunities (teaching software verification to creative staff) - Business continuity (maintaining operations while remediating compromise)

Scenario Overview:

Opening: Creative agency managing client campaigns, employees reporting browsers redirecting to unexpected websites and persistent advertisements. Staff installed “critical software updates” for design tools, but sophisticated software masquerading attack delivered trojan payloads. Major client presentation Friday.

Initial Symptoms: - Browser redirections to unexpected websites during client research - Persistent advertisements appearing in design software workflows - “Critical update” notifications for Adobe Creative Suite and design tools - Client project files behaving unexpectedly on compromised workstations - Help desk reports from creative staff about “software problems”

Organizational Context: 45-employee digital marketing agency with limited IT resources, serving local business clients, facing browser compromise threatening Friday presentation and client confidence.

NPCs:

  • Lisa Martinez (Business Owner): Managing agency operations with compromised design workstations affecting client services, worried about reputation damage and business impact
  • Jake Thompson (IT Coordinator): Part-time IT support investigating unauthorized software installations and browser modifications, learning about sophisticated malware
  • Sarah Chen (Creative Director): Reporting design software “updates” and persistent browser advertising issues, frustrated by workflow disruption before major presentation
  • Mark Rodriguez (Client Relations Manager): Assessing impact on client data security and service delivery, managing client communication about potential exposure

Investigation Timeline:

Round 1: Discovery of fake software update delivery, browser hijacking mechanisms, multi-stage payload deployment, design workstation compromise

Round 2: Confirmation of trojan platform installation, client data access attempts, browser persistence mechanisms, approaching Friday presentation deadline

Round 3: Response decision balancing emergency workstation restoration vs comprehensive remediation, client notification vs silent cleanup, user education vs quick fix

Response Options:

Type-effective: Browser forensics (+3), software verification (+3), user education (+2), workstation reimaging (+2) Moderately effective: Antimalware scanning (+1), browser reset (+1), network monitoring (0) Ineffective: Simple browser cleanup (-1), ignoring persistence (-2), trusting software updates (-2)

Round-by-Round Facilitation:

Round 1: Malmon identification through browser behavior analysis, recognition of fake update delivery, Sarah reports more staff installing “critical updates”

Round 2: Multi-stage payload scope confirmed, client data exposure risk discovered, Lisa faces Friday presentation timeline pressure, Jake realizes small IT team limitations

Round 3: Critical decision: emergency workstation restoration accepting reinfection risk vs complete remediation delaying client work vs hybrid approach with user education

Pacing & Timing:

If running long: Condense technical malware analysis, fast-forward client impact stories, summarize small business IT complexity If running short: Expand client notification dilemma subplot, add software vendor coordination, include competitive exploitation concerns If stuck: Jake offers technical cleanup options, Lisa provides business timeline constraints, Mark shares client relationship context

Debrief Points:

Technical: Software masquerading techniques, browser hijacking mechanisms, multi-stage payload delivery, small business security on limited budgets Collaboration: Business continuity vs security thoroughness, user education opportunities, limited IT resource optimization, client relationship management Reflection: “How does client pressure create small business security vulnerabilities? How would you design security for limited-resource businesses?”

Facilitator Quick Reference:

Type effectiveness: Downloader weak to software verification (+3) and browser forensics (+3), resists simple cleanup (-1) Common challenges: - Team ignores Friday deadline → “Lisa reports major client presentation cannot be rescheduled, losing this account affects agency survival” - Team minimizes user education → “Jake discovers three more staff installed fake updates this morning, reinfection cycle continuing” - Team underestimates persistence → “Browser hijacking returns after simple cleanup, malware embedded in browser extensions and startup items” DCs: Investigation 10-18, Containment 12-22 (varies by approach), Communication 12-20

Customization Notes:

Easier: Reduce workstation count, extend presentation timeline, simplify malware behavior, provide clear cleanup instructions Harder: Add client data breach, include competitive intelligence theft, expand to cloud service compromise, add vendor relationship damage Industry adaptations: Professional services (accounting firm), retail (point-of-sale systems), education (classroom technology), healthcare (medical office) Experience level: Novice gets malware identification coaching, expert faces resource optimization and user education design challenges

Cross-References:

Key Differentiators: Small Business Context

Unique Elements of Small Business Scenario:

  1. Limited IT Resources: Part-time IT coordinator vs enterprise security teams creates resource optimization challenges
  2. Client Relationship Dependency: Business survival depends on client confidence creating unique pressure vs large enterprise resilience
  3. User Education Opportunities: Small team size enables effective security training vs large-scale awareness programs
  4. Business Timeline Pressure: Client presentation represents critical business opportunity vs routine corporate deadlines
  5. Creative Workflow Focus: Design software and browser-based research central to business operations vs standardized corporate tools

Facilitation Focus:

  • Emphasize how limited resources create both vulnerability and opportunity for effective security practices
  • Highlight small business security’s unique challenge: Balancing client service with system protection on tight budgets
  • Explore how user education becomes primary security control when technical solutions are resource-limited
  • Connect to real-world small business security culture and client-driven operational pressure

End of Planning Document

This scenario explores client pressure vulnerabilities in small business limited-resource context. The goal is demonstrating how business relationship focus creates exploitable security gaps and how effective user education can compensate for limited technical resources.