Players Handbook
Your Guide to Collaborative Cybersecurity Learning
Apr 6, 2026
Players Handbook - Offline Version
Welcome, Player
About This Handbook
This handbook is your complete guide to participating in Malware & Monsters sessions - engaging, team-based security training experiences that put you at the center of realistic incident response simulation scenarios. Our approach develops security awareness and hands-on cybersecurity skills through collaborative learning experiences.
Whether you’re a seasoned security professional or curious newcomer, you’ll find that Malware & Monsters creates authentic learning through collaborative problem-solving, not lectures or presentations.
Legacy & Contemporary Threats: You’ll encounter both foundational cybersecurity incidents that shaped the field (like Code Red, Stuxnet, and Gh0st RAT) and modern threats currently impacting organizations (like LockBit, FakeBat, and WannaCry). This historical perspective helps understand how attack techniques evolved and why certain defenses developed.
What Makes This Different?
Your expertise matters. Unlike traditional training where you passively receive information, Malware & Monsters puts your knowledge, experience, and instincts at the center of every scenario.
Real challenges, safe environment. Face realistic cyber threats in a collaborative setting where mistakes become learning opportunities and diverse perspectives create better solutions.
Team-based discovery. Work with incident response teammates to uncover, analyze, and respond to digital threats - just like you would in the real world.
How to Use This Handbook
If You’re New to Malware & Monsters
- Start with the Players Quick Start Guide to get playing in minutes
- Read Introduction to understand the learning philosophy
- Read Understanding Malmons to grasp the core concepts
- Focus on Incident Response Roles to find your place on the team
- Reference Game Mechanics when you need rule clarifications
If You’re an Experienced Player
- Jump to The Containment System to see how your skills translate to gameplay
- Explore Competitive Elements for advanced challenges
- Check MalDex Collection for the community knowledge-building aspects
- Use Training and Progression to track your growing expertise
If You’re Looking for Quick Reference
- Type Effectiveness Chart - Visual guide to malware type interactions
- Role Quick Reference - At-a-glance role abilities and responsibilities
- Common Game Terms - Definitions and terminology
What You’ll Learn
Through Malware & Monsters sessions, you’ll develop:
- Collaborative incident response skills through realistic team scenarios
- Technical knowledge about real malware families and attack techniques
- Communication abilities for explaining technical concepts across disciplines
- Strategic thinking about cybersecurity from multiple organizational perspectives
- Confidence in your ability to contribute meaningfully to security teams
The Community Aspect
Malware & Monsters isn’t just a learning activity - it’s a growing community of cybersecurity professionals who believe in:
- Collaborative learning over competitive individual achievement
- Practical experience over theoretical knowledge alone
- Diverse perspectives making everyone more effective
- Continuous improvement through shared experiences and insights
Each chapter builds naturally on the previous ones, but feel free to explore based on your interests and experience level. The most important thing is to jump in and start collaborating!
Getting Started
Your first Malware & Monsters experience will begin with character creation, where you’ll:
- Share your expertise with your teammates
- Choose your role based on interests and team needs
- Develop your character around your real skills and personality
- Face your first incident as a collaborative response team
No preparation required - just bring your curiosity, your experience (whatever level), and your willingness to work as part of a team.
Join the Community
- Contribute scenarios and Malmon discoveries
- Share insights from your sessions
- Connect with other players and incident masters
- Help grow the collaborative learning network
For community resources and connections, visit: [community website placeholder]
Educational Use Statement
Malware & Monsters is designed for educational purposes. All scenarios are based on publicly available threat intelligence and research. The game does not provide actual malware samples or detailed exploitation techniques that could be misused.
Introduction to Malware & Monsters
The Philosophy Behind the Experience
Cybersecurity is fundamentally a collaborative discipline. Real incidents require diverse expertise, clear communication, and coordinated response. Yet most cybersecurity training isolates learners in individual exercises or passive presentations.
Malware & Monsters flips this approach through our innovative security training platform. Instead of learning about cybersecurity, you practice cybersecurity education through realistic, team-based security training scenarios. Our gamified incident response training transforms traditional learning into engaging incident response simulation experiences that build real cybersecurity skills.
Learning Through Discovery
In every Malware & Monsters session that focuses on collaborative learning cybersecurity:
- Your knowledge drives the content. The Incident Master facilitates, but your expertise and insights create the learning experience.
- Questions matter more than answers. The goal isn’t to memorize facts, but to develop the thinking skills that drive cybersecurity skills development.
- Mistakes become insights. When approaches don’t work, the team learns together why and develops better strategies.
- Collaboration creates confidence. Working with teammates builds both technical skills and communication abilities essential for security professional development.
How Sessions Work
The Basic Structure
Every Malware & Monsters session follows a three-phase incident response structure:
Discovery Phase (Round 1): Your team investigates initial symptoms to identify what type of threat you’re facing. Each team member approaches the investigation from their role’s perspective, then shares findings to collectively identify the specific Malmon.
Investigation Phase (Round 2): With the threat identified, your team analyzes the scope of the incident, understands the attack progression, and assesses potential impact. This phase often reveals the Malmon’s attempts to evolve or escalate.
Response Phase (Round 3): Your team coordinates a comprehensive response strategy, implements containment measures, and works to neutralize the threat before it can cause maximum damage.
Your Role in the Team
Rather than playing a generic “cybersecurity professional,” you’ll take on a specific role that matches your interests and expertise:
- Detective: You excel at finding clues and analyzing evidence
- Protector: You focus on stopping threats and securing systems
- Tracker: You monitor data flows and network behavior
- Communicator: You handle stakeholder relations and coordinate response
- Crisis Manager: You oversee the overall incident response strategy
- Threat Hunter: You proactively search for hidden threats and attack indicators
These roles aren’t rigid job descriptions - they’re lenses through which you approach problems, ensuring every team member contributes their unique perspective.
What Makes Malmons Special
Digital Threats as Creatures
In Malware & Monsters, malware families are represented as Malmons - digital creatures with distinct personalities, capabilities, and behaviors. This isn’t just a creative choice; it reflects how cybersecurity professionals actually think about threats.
Just as biologists classify animals by species with predictable behaviors, cybersecurity professionals categorize malware families by their attack patterns, evasion techniques, and objectives. A GaboonGrabber behaves differently from WannaCry, which behaves differently from Stuxnet.
Legacy and Contemporary Threats
Your Malmon encounters span cybersecurity history, helping you understand how threats evolved:
Legacy Malmons represent foundational attacks that shaped the field - Code Red (2001) demonstrated internet-scale worm propagation, Stuxnet (2010) revealed nation-state capabilities, and Gh0st RAT (2008) pioneered APT techniques still used today.
Contemporary Malmons reflect current threat landscapes - LockBit represents modern ransomware operations, FakeBat shows today’s loader tactics, and WannaCry bridges legacy vulnerabilities with contemporary impact.
This historical perspective helps teams recognize patterns, understand why certain defenses exist, and apply lessons from past incidents to current challenges.
The Type System
Every Malmon belongs to one or more types that determine its strengths and weaknesses:
- Trojan-types excel at deception but struggle against behavioral analysis
- Worm-types spread rapidly through networks but can be contained through isolation
- Ransomware-types threaten data integrity but are vulnerable to backup strategies
- Rootkit-types hide deep in systems but can be exposed through forensic techniques
Understanding these type relationships helps you choose the most effective response strategies.
Evolution and Adaptation
Malmons can evolve during incidents, gaining new capabilities and becoming more dangerous. A basic Trojan might evolve into an Advanced Persistent Threat if not contained quickly. This evolution mechanic reflects how real cyber attacks escalate when not addressed promptly.
Example Malmon Card
Here’s what a typical Malmon card looks like:
GaboonGrabber
GaboonGrabber was discovered and named by Lena aka LambdaMamba, and is the first Malmon ever created. Written in .NET, it extracts embedded resources to launch multiple fileless stages. It camouflages itself as legitimate software—even mimicking app code—to avoid detection. Its final stage can deploy threats like Snake Keylogger, AgentTesla, Redline, Lokibot, and more.
Each Malmon card provides essential information for understanding the threat’s behavior, capabilities, and vulnerabilities - helping your team choose the most effective response strategies.
The Learning Experience
Building Real Skills
While the creature-collection framework makes learning engaging, every mechanic teaches genuine cybersecurity concepts. Research demonstrates that game-based learning environments effectively enhance skill acquisition and knowledge retention (Gee 2003; Connolly et al. 2012):
- Type effectiveness teaches you to match defensive strategies to specific threat categories
- Evolution mechanics demonstrate how attacks escalate when not contained quickly
- Collaborative investigation builds the communication skills essential for incident response (Johnson et al. 1999)
- Role specialization helps you understand how different security functions work together
Safe Environment for Growth
Malware & Monsters creates a safe space to develop cybersecurity expertise through social learning processes (Vygotsky 1978):
- Ask questions without feeling inexperienced
- Make mistakes and learn from them collaboratively
- Share knowledge and learn from others’ expertise
- Practice communication across different technical backgrounds
- Build confidence in your ability to contribute to security teams
Community Knowledge Building
Every session contributes to a growing collection of community knowledge:
- MalDex entries document your team’s encounters with different Malmons
- Response strategies get shared with other teams and organizations
- Lessons learned help improve future incident response
- Technique sharing spreads effective practices across the community
What to Expect in Your First Session
Character Creation
You’ll start by sharing your cybersecurity-related experience with your teammates. This could be professional work, academic study, hobby projects, or just general curiosity about technology. Based on these interests and team needs, you’ll collaboratively choose roles.
Then you’ll develop your character - keeping your real name but building a personality around your chosen role. Are you a paranoid Detective who notices every anomaly? A protective Protector who takes attacks personally? A methodical Crisis Manager who thinks in flowcharts? Have fun with the archetypes while staying true to your actual interests.
Example Role: Detective
🎭 Archetype
💪 Strengths
• Pattern Recognition: Spotting anomalies in logs and behavior
• Evidence Analysis: Connecting clues into attack timelines
🎯 Focus Areas
• System logs and process executions
• Attack vector analysis and entry points
🎪 Roleplay Tips
• Be curious about details others might skip
• Share your thought process: 'This pattern suggests...'
During investigations, you might collect evidence artifacts - pieces of information from incident reports, system logs, or security alerts that help your team understand what happened.
The Incident Begins
Your Incident Master will present initial symptoms - computers running slowly, suspicious emails, unusual network traffic. Your team investigates these symptoms from different role perspectives, sharing discoveries and building toward identifying the specific Malmon you’re facing.
Collaborative Problem-Solving
Throughout the session, you’ll work together to understand the threat, assess its impact, and coordinate an effective response. The Incident Master facilitates this process through questions and guidance, but your team’s knowledge and decisions drive the experience.
Learning Through Reflection
Sessions conclude with reflection on what you discovered, what strategies worked, and what you might do differently. These insights get captured in your team’s MalDex entry and shared with the broader community.
Getting the Most from Your Experience
Embrace Your Role
Don’t worry about being the “smartest” person in the room. Each role brings valuable perspectives, and the best solutions emerge from diverse viewpoints working together.
Ask Questions
If you don’t understand something, ask. If you’re curious about a technique someone mentioned, explore it. If you disagree with a proposed approach, voice your concerns. Questions drive learning and often reveal important insights.
Think Like Your Character
Get into your role’s mindset. How would a Detective approach this evidence? What would worry a Protector about this attack? How would a Communicator explain this to management? Role-playing enhances both engagement and learning.
Learn from Others
Pay attention to how your teammates think through problems. What questions do they ask? What patterns do they notice? What tools do they suggest? Every session is an opportunity to expand your own mental toolkit.
Ready to Start?
Malware & Monsters sessions require no special preparation beyond curiosity and willingness to collaborate. You’ll learn the specific mechanics as you play, guided by your Incident Master and supported by your teammates.
The most important thing to remember: this is a collaborative learning experience. Your success is measured not by individual achievement, but by how well your team works together to understand and respond to cybersecurity challenges. This approach aligns with established cooperative learning principles that emphasize collective problem-solving and shared knowledge construction (Slavin 1996).
In the following chapters, you’ll learn about the specific systems and mechanics that make Malware & Monsters work - from understanding Malmon types and abilities to mastering advanced response strategies. But remember, these are tools to support collaborative learning, not rules to memorize. This experiential gaming approach builds on proven pedagogical frameworks for cybersecurity education (Kiili 2005; Cone et al. 2007).
When you arrive at your first Malware & Monsters session, you’ll need nothing more than:
- Curiosity about cybersecurity challenges
- Willingness to work as part of a team
- Openness to sharing your perspective and learning from others
- Enthusiasm for collaborative problem-solving
Everything else you’ll learn through the experience itself.
Preparing for Your Session
Welcome to your first step toward becoming an effective cybersecurity incident responder through our security training platform! Whether you’re a seasoned security professional or someone curious about cybersecurity education, this chapter will help you prepare for a successful and engaging Malware & Monsters session using our innovative incident response simulation methodology.
What to Expect
Your Learning Journey
A Malware & Monsters session is collaborative storytelling meets cybersecurity education through gamified incident response training. You’ll work with 4-5 other participants to respond to a simulated cybersecurity incident, combining your real-world knowledge with game mechanics to create an authentic team-based security training experience that drives cybersecurity skills development.
Session Structure:
- Setup: Character creation and team formation
- Round 1: Discovery - What’s happening?
- Round 2: Investigation - How bad is it?
- Round 3: Response - How do we fix it?
The Collaborative Difference
Unlike traditional training where an expert lectures, in Malware & Monsters:
- Your expertise drives the content
- Questions are more valuable than answers
- Learning happens through discovery, not memorization
- Every perspective contributes something valuable
Before You Arrive
What Expertise You Bring
Everyone has valuable knowledge to contribute. Here’s how different backgrounds enhance the experience:
Your deep knowledge provides authentic technical context, but remember:
- Share insights, don’t lecture - Build on others’ discoveries
- Ask questions that help less technical teammates learn
- Embrace uncertainty - Even experts don’t know everything
- Learn from business perspectives - Technical solutions must work for organizations
Your perspective is crucial for realistic incident response:
- Business impact awareness - What really matters to organizations
- Communication skills - Translating between technical and business needs
- Common sense - Often the most important cybersecurity skill
- User behavior insights - How people actually interact with technology
Your fresh perspective and questions drive learning for everyone:
- Curious questioning - “Why?” and “What if?” push deeper understanding
- Pattern recognition - New eyes often see things others miss
- Enthusiasm - Your energy and interest motivate the whole team
- Learning mindset - Modeling how to grow through collaboration
Setting Learning Intentions
Before your session, consider:
What do you want to learn?
- Specific cybersecurity concepts or techniques
- How incident response teams work together
- Communication skills for technical topics
- Problem-solving approaches for complex challenges
What can you contribute?
- Professional experience from your field
- Analytical or creative thinking approaches
- Communication and collaboration skills
- Questions that help everyone learn
How do you learn best?
- Through discussion and explanation
- By working through problems hands-on
- By asking questions and exploring scenarios
- Through storytelling and examples
Managing Pre-Session Anxiety
“I Don’t Know Enough” Syndrome
This is completely normal! Even cybersecurity experts feel this way when encountering new scenarios or working with specialists from other domains.
- No one knows everything - Even experts are learning constantly
- Your questions help others learn - What confuses you confuses others too
- Different types of knowledge matter - Technical, business, user, regulatory
- Facilitators support your success - They want you to contribute meaningfully
Common Concerns and Realities
“What if I say something wrong?”
- Mistakes become learning opportunities for everyone
- Other participants will build on and refine ideas collaboratively
- The facilitator guides discussions to keep them productive
- Being wrong about details doesn’t invalidate your perspective
“What if I don’t understand the technical aspects?”
- Technical participants will explain concepts as needed
- You can contribute business, user, or common-sense perspectives
- Your questions often lead to the most important insights
- Non-technical understanding is crucial for real-world cybersecurity
“What if I can’t role-play or act?”
- Character development is minimal - mostly using your real name and expertise
- You can be as much or as little “in character” as feels comfortable
- The focus is on collaborative problem-solving, not performance
- Your authentic self is the best character you can play
Practical Preparation
What to Bring
Required:
- Yourself and your experience - The most important contribution
- Curiosity and willingness to collaborate
- Openness to learning from others
Helpful but not required:
- Notebook for capturing insights - Digital or paper
- Professional experience examples to share when relevant
- Questions about cybersecurity you’d like to explore
Provided at the session:
- All game materials (dice, cards, reference sheets)
- Scenario information and context
- Technical reference materials as needed
Mental Preparation
Collaborative Mindset:
- “Yes, and…” - Build on others’ ideas rather than contradicting
- Question-driven learning - Curiosity is more valuable than certainty
- Shared success - The team wins or learns together
- Authentic contribution - Your real expertise and perspective matter
Growth Mindset:
- Learning through mistakes - Errors become insights
- Questions show engagement - Asking is better than staying silent
- Different expertise types - Technical, business, user, regulatory all matter
- Continuous learning - Everyone, including experts, is always learning
Your Role in Team Success
What Makes a Great Teammate
Active Participation:
- Share relevant insights when you have them
- Ask questions when you’re curious or confused
- Build on others’ ideas with “Yes, and…” thinking
- Support quieter teammates by inviting their input
Generous Listening:
- Give others space to share their expertise
- Ask follow-up questions to understand better
- Connect insights across different perspectives
- Acknowledge good ideas and helpful contributions
Authentic Contribution:
- Share your real knowledge and experience
- Admit when you don’t know something
- Offer your perspective even if it’s different
- Stay engaged even when topics are unfamiliar
Building Team Chemistry
During Character Creation:
- Be genuinely interested in others’ backgrounds
- Share something real about your own experience
- Look for connections and complementary expertise
- Set a tone of curiosity and mutual support
Throughout the Session:
- Refer to teammates by their character names
- Build on the team dynamic and shared story
- Celebrate team discoveries and successes
- Support each other through challenges
Setting Yourself Up for Success
Learning Mindset Checklist
Before your session, confirm you’re ready with this mindset:
Session Day Preparation
Arrive Ready to:
- Introduce yourself authentically - Share your real background and interests
- Listen actively - Others have knowledge you can learn from
- Contribute genuinely - Your perspective and questions matter
- Embrace the unexpected - Sessions evolve based on team discoveries
- Have fun learning - Enjoy the collaborative problem-solving experience
Emergency Phrases for New Participants
When You’re Lost:
- “Can someone explain what [term] means?”
- “I’m not familiar with that concept - can you give me the basics?”
- “How does this connect to what we discussed earlier?”
- “What’s the most important thing I should understand here?”
When Contributing:
- “From my experience in [your field], this seems similar to…”
- “I don’t know the technical details, but from a business perspective…”
- “That reminds me of a situation where…”
- “What if we approached this from the angle of…?”
When Supporting Others:
- “That’s an interesting point - can you tell us more?”
- “How does that connect to what [teammate] said earlier?”
- “What would that look like in practice?”
- “That’s a perspective I hadn’t considered.”
Your success isn’t measured by how much you already know, but by how effectively you collaborate, contribute, and learn with your team. Come as yourself, bring your curiosity, and trust the process!
What’s Next
Now that you’re prepared for your session experience, let’s explore the world of Malmons - the digital threats you’ll be investigating and responding to as a team. Understanding these “creatures” and their behaviors will help you contribute effectively to your incident response team’s success.
Ready to dive deeper? Continue to Understanding Malmons to learn about the digital threats you’ll encounter, or jump to Effective Participation for tips on being an excellent teammate.
Understanding Malmons
What Are Malmons?
Malmons are digital threats represented as creatures with distinct characteristics, behaviors, and capabilities within our cybersecurity education framework. Each Malmon represents a real malware family or attack technique, but thinking of them as creatures with personalities helps teams understand their behavior patterns and develop effective countermeasures through security awareness training methodologies.
Just as a wildlife biologist studies animal behaviors to predict where they’ll go and what they’ll do, cybersecurity professionals study Malmon behaviors to anticipate attack progression and choose appropriate defenses.
Real Threats, Creature Framework
Every Malmon in the collection is based on actual malware families studied by security researchers:
- GaboonGrabber represents sophisticated Trojans that mimic legitimate software
- WannaCry embodies the rapid-spreading network worms that can paralyze organizations
- Stuxnet captures the precision and stealth of nation-state cyber weapons
- LockBit demonstrates modern ransomware-as-a-service operations
The creature framework makes these threats more approachable and memorable while maintaining technical accuracy about their real-world behaviors, supporting cybersecurity skills development through our gamified incident response training approach.
The Type System
Every Malmon belongs to one or more types that determine its strengths, weaknesses, and preferred attack methods. Understanding type relationships is crucial for effective incident response.
Professional Context: These game classifications connect directly to real cybersecurity terminology and defensive strategies used by security professionals. For facilitators, detailed guidance on explaining these connections is available in the IM Handbook classification guide.
Primary Types
Trojan-Type Malmons
Characteristics: Masters of deception and disguise
- Strengths: Evade traditional security defenses, appear legitimate to users
- Common Behaviors: Masquerade as software updates, hide in trusted processes
- Weaknesses: Vulnerable to behavioral analysis and runtime monitoring
- Examples: GaboonGrabber, FakeBat
Worm-Type Malmons
Characteristics: Rapid network propagation specialists
- Strengths: Self-replicating, can spread without user interaction
- Common Behaviors: Exploit network vulnerabilities, lateral movement
- Weaknesses: Contained by network segmentation and traffic monitoring
- Examples: WannaCry, Code Red, Raspberry Robin
Ransomware-Type Malmons
Characteristics: Data hostage specialists
- Strengths: High impact through data encryption, direct financial motivation
- Common Behaviors: File encryption, demand payments, deadline pressure
- Weaknesses: Defeated by comprehensive backup strategies and network isolation
- Examples: LockBit, WannaCry (hybrid type)
Rootkit-Type Malmons
Characteristics: Deep system infiltration experts
- Strengths: Hide at system level, difficult to detect, maintain persistence
- Common Behaviors: Modify system components, evade detection tools
- Weaknesses: Exposed by forensic analysis and integrity checking
- Examples: Stuxnet (hybrid), advanced persistence mechanisms
APT-Type Malmons (Advanced Persistent Threat)
Characteristics: Long-term stealth operations
- Strengths: Patient, sophisticated, well-resourced attacks
- Common Behaviors: Slow progression, intelligence gathering, target research
- Weaknesses: Vulnerable to threat intelligence and behavioral analysis
- Examples: Stuxnet, Noodle RAT, Gh0st RAT
Infostealer-Type Malmons
Characteristics: Data harvesting specialists
- Strengths: Targeted data collection, credential theft
- Common Behaviors: Monitor user activity, harvest passwords, collect sensitive data
- Weaknesses: Defeated by encryption and access controls
- Examples: Noodle RAT, PoisonIvy
The Lenaean Taxonomy
Every Malmon has a formal scientific name in addition to its common name. This system, known as the Lenaean Taxonomy, provides a precise way to classify threats based on their habitat, kingdom, and primary function.
How to Read a Scientific Name
A Lenaean name consists of five parts:
Winwormia Denior Coderedius (Global 2001)
- Habitat (Win): The primary operating system habitat (Windows).
- Kingdom (wormia): The fundamental nature of the threat (Autonomous self-propagation).
- Function (Denior): The primary ecological impact (Denial of Service).
- Trait (Coderedius): A defining species-level trait or name-marker.
- Discovery (Global 2001): Where and when the threat was first documented.
Understanding these names helps you quickly identify a Malmon’s core behavior and its place in the digital ecosystem. For a full breakdown of the taxonomy system, visit the Lenaean Taxonomy reference page.
Type Effectiveness Matrix
Different response strategies work better against specific Malmon types:
Trojan
Worm
Ransomware
Rootkit
APT
Phishing
Botnet
Infostealer
Wormia
Trojania
Wareia
Cryptor
Destroyor
Spyor
Denior
Hybrid Types
Many advanced Malmons combine characteristics from multiple types:
- WannaCry: Worm/Ransomware hybrid with rapid spreading and data encryption
- Stuxnet: APT/Rootkit hybrid with nation-state sophistication and deep system access
- LitterDrifter: Worm/APT hybrid spreading via USB with geopolitical targeting
Legacy vs Contemporary Malmons
The Malmon collection includes both contemporary threats and Legacy Malmons - historically significant threats that shaped modern cybersecurity practices. Understanding both helps teams learn from the evolution of digital threats.
🕰️ Legacy Malmons
Legacy Malmons represent threats from cybersecurity history (typically 2000-2010) that were revolutionary for their time and established attack patterns still seen today.
Characteristics of Legacy Malmons
Visual Identification: Legacy Malmons are easily identified by their card design:
- “LEGACY” Type Prefix: Cards display “LEGACY • WORM/HISTORICAL” instead of just “WORM/HISTORICAL”
- Historical Context: Card descriptions reference specific years and historical technology
- Evolution Information: Cards explain how the threat has evolved into modern forms
- Educational Focus: Emphasis on learning value and pattern recognition
Key Differences from Contemporary Malmons:
- Legacy cards teach threat evolution and historical context
- Contemporary cards focus on current practical response techniques
- Both use identical game mechanics and statistics
- Legacy threats often have lower detection scores reflecting historical security limitations
Legacy Malmon Examples
Code Red (2001) - Worm/Historical
Code Red
Code Red is a pioneering computer worm that emerged in 2001, targeting Microsoft IIS web servers across the internet. Using a buffer overflow vulnerability, it rapidly replicated itself while defacing web pages with pro-China messages. Code Red demonstrated the potential for internet-wide automated attacks and influenced modern worm design principles. At its peak, Code Red infected over 400,000 servers within hours, making it one of the first major internet security incidents.
- Historical Impact: First major internet-wide worm, infected 400,000 servers
- Innovation: Automated scanning and mass infection without files
- Modern Descendants: Web application attacks, API vulnerabilities, cloud breaches
- Learning Value: Understanding automated threat propagation principles
Stuxnet (2010) - APT/Rootkit/Historical
- Historical Impact: First known cyber weapon targeting industrial control systems
- Innovation: Nation-state precision targeting, physical damage from cyber attacks
- Modern Descendants: Critical infrastructure attacks, OT security concerns
- Learning Value: Understanding sophisticated nation-state capabilities
Gh0st RAT (2009) - APT/Infostealer/Historical
- Historical Impact: Popularized remote access trojans for espionage
- Innovation: Comprehensive remote control and data exfiltration
- Modern Descendants: Modern RATs, advanced persistent threats
- Learning Value: Understanding long-term persistent access techniques
Poison Ivy (2005) - APT/Infostealer/Historical
- Historical Impact: Established corporate espionage attack patterns
- Innovation: Targeted data theft from specific organizations
- Modern Descendants: Modern corporate espionage, supply chain attacks
- Learning Value: Understanding targeted threat actor methodologies
🆕 Contemporary Malmons
Contemporary Malmons represent current active threats using modern techniques and targeting today’s technology infrastructure.
Contemporary Examples
GaboonGrabber - Modern Trojan/Stealth
GaboonGrabber
GaboonGrabber was discovered and named by Lena aka LambdaMamba, and is the first Malmon ever created. Written in .NET, it extracts embedded resources to launch multiple fileless stages. It camouflages itself as legitimate software—even mimicking app code—to avoid detection. Its final stage can deploy threats like Snake Keylogger, AgentTesla, Redline, Lokibot, and more.
Additional Contemporary Malmons:
- LockBit: Current ransomware-as-a-service operations
- Raspberry Robin: Modern USB-based propagation techniques
- FakeBat: Current malvertising and social engineering
Learning from Both Eras
Historical + Modernization Sessions
Some sessions use Legacy Malmons with a two-phase approach:
- Historical Investigation: Experience the threat using period-appropriate technology and knowledge
- Collaborative Modernization: Work together to discover how the threat has evolved into current forms
This approach helps teams understand:
- Threat Evolution: How attack patterns adapt to new technology
- Defensive Evolution: How security practices developed in response
- Pattern Recognition: Identifying persistent attack principles across eras
- Historical Context: Why current security practices exist
Contemporary-Only Sessions
Most sessions focus on Contemporary Malmons for immediate practical value:
- Current Techniques: Learn responses using modern tools and practices
- Immediate Application: Skills directly applicable to current work
- Modern Context: Scenarios using current technology and business environments
Malmon Abilities and Characteristics
Signature Abilities
Each Malmon has unique capabilities that define its attack patterns:
Primary Abilities
Core strengths that the Malmon excels at:
- Perfect Mimicry: Appears identical to legitimate software
- Rapid Propagation: Spreads quickly through network vulnerabilities
- Deep Persistence: Maintains access through system restarts and updates
- Behavioral Camouflage: Blends normal activity patterns to avoid detection
Special Attacks
Unique techniques that distinguish each Malmon:
- Fileless Deployment: Operates entirely in memory without disk artifacts
- Kill Switch Vulnerability: Can be instantly neutralized if weakness is discovered
- Multi-Payload Delivery: Deploys additional threats after establishing foothold
- Air Gap Jumping: Spreads between isolated network segments
Threat Levels
Malmons are classified by complexity and potential impact:
- ⭐ Basic: Straightforward threats with well-understood behaviors
- ⭐⭐ Intermediate: Sophisticated threats requiring coordinated response
- ⭐⭐⭐ Advanced: Nation-state level threats with multiple advanced capabilities
Evolution Mechanics
One of the most important Malmon characteristics is their ability to evolve during incidents, gaining new capabilities and becoming more dangerous if not contained quickly.
Evolution Triggers
Malmons attempt to evolve when:
Time Pressure
- Teams take too long to identify the threat type
- Investigation phase extends without effective containment
- Response actions are delayed or poorly coordinated
Environmental Conditions
- Network lacks proper segmentation
- Systems missing critical security updates
- Monitoring coverage has blind spots
- Backup systems are inadequate or offline
Failed Containment
- Initial response strategies prove ineffective
- Malmon successfully evades detection attempts
- Team fails to exploit known type weaknesses
- Coordination between team members breaks down
Evolution Examples
GaboonGrabber Evolution Chain
Basic Form: Simple Trojan mimicking software updates
- Evolves To: Multi-Stage Loader deploying additional payloads
- Final Form: Advanced Persistent Threat with network-wide compromise
- Trigger: Successful initial infection + 24+ hours without containment
WannaCry Evolution Chain
Basic Form: Ransomware encrypting local files
- Evolves To: Network Worm spreading via SMB vulnerabilities
- Final Form: Global Pandemic Worm with infrastructure impact
- Trigger: Network propagation success + vulnerable target environment
WannaCry ATT&CK Analysis
🎯 MITRE ATT&CK Technique Analysis
| Technique | Tactic | Description | Mitigation | Detection |
|---|---|---|---|---|
| T1566.001 Spearphishing Attachment |
Initial Access | Initial infection vector through malicious email attachments | Email security, user training, attachment scanning | Email analysis, attachment behavior monitoring |
| T1210 Exploitation of Remote Services |
Lateral Movement | Uses EternalBlue exploit to spread via SMB vulnerabilities | Patch management, network segmentation, SMB hardening | Network monitoring, exploit detection, vulnerability scanning |
| T1486 Data Encrypted for Impact |
Impact | Encrypts files and demands ransom payment for decryption | Backup systems, file monitoring, user training | File modification monitoring, encryption behavior, ransom notes |
IM Facilitation Notes:
- Use these techniques to guide player investigation questions
- Help players connect evidence to specific ATT&CK techniques
- Highlight type effectiveness relationships in responses
- Encourage discussion of real-world mitigation strategies
Code Red Evolution Chain
Basic Form: Web Server Worm with simple defacement
- Evolves To: DDoS Botnet with coordinated attacks
- Final Form: Internet Infrastructure Threat
- Trigger: Large-scale propagation + coordination with other instances
Code Red ATT&CK Analysis
🎯 MITRE ATT&CK Technique Analysis
| Technique | Tactic | Description | Mitigation | Detection |
|---|---|---|---|---|
| T1105 Ingress Tool Transfer |
Command and Control | Downloads additional malware components and updates | Network monitoring, application control, traffic analysis | Download monitoring, C2 detection, file analysis |
| T1190 Exploit Public-Facing Application |
Initial Access | Exploits IIS web server vulnerabilities for initial compromise | Web application firewalls, patch management, server hardening | Web server monitoring, exploit detection, traffic analysis |
| T1498 Network Denial of Service |
Impact | Launches coordinated DDoS attacks against target infrastructure | DDoS protection, traffic filtering, capacity planning | Traffic analysis, bandwidth monitoring, attack pattern recognition |
IM Facilitation Notes:
- Use these techniques to guide player investigation questions
- Help players connect evidence to specific ATT&CK techniques
- Highlight type effectiveness relationships in responses
- Encourage discussion of real-world mitigation strategies
Preventing Evolution
Teams can prevent Malmon evolution through:
- Rapid identification using type-specific detection methods
- Effective containment exploiting known type weaknesses
- Coordinated response leveraging each role’s expertise
- Environmental hardening addressing vulnerabilities the Malmon requires
Regional Variants
Malmons adapt to different environments, creating regional variants with specialized capabilities:
Industry-Specific Variants
Healthcare Variants
- HIPAA-Focused Targeting: Specialized in medical record theft
- Clinical System Integration: Understands healthcare workflows
- Compliance Evasion: Avoids triggering regulatory monitoring
Financial Variants
- PCI-DSS Awareness: Targets payment card data specifically
- Banking Protocol Knowledge: Exploits financial system communications
- Transaction Manipulation: Capable of altering financial transfers
Industrial Variants
- SCADA Integration: Targets industrial control systems
- Physical Process Understanding: Can cause real-world damage
- Safety System Bypass: Disables critical safety mechanisms
Geographic Variants
Nation-State Variants
- Geopolitical Targeting: Focuses on specific countries or regions
- Cultural Intelligence: Uses region-specific social engineering
- Infrastructure Knowledge: Targets country-specific critical systems
Legendary Malmons
Some Malmons are so sophisticated and impactful they’re classified as Legendary - ultra-rare threats that represent the pinnacle of cyber attack capabilities.
Characteristics of Legendary Malmons
- Nation-state development with significant resource investment
- Multiple zero-day exploits unknown to the security community
- Cross-platform capabilities affecting diverse systems
- Physical world impact beyond typical digital damage
- Historical significance changing cybersecurity practices
Known Legendary Malmons
Stuxnet ⭐⭐⭐ (Legendary)
The Industrial Saboteur
- Signature Ability: Air Gap Jumping via USB propagation
- Special Attack: Centrifuge Manipulation targeting uranium enrichment
- Hidden Ability: Four Zero-Day Arsenal with coordinated exploitation
- Evolution: Global Infrastructure Targeting across critical sectors
Stuxnet ATT&CK Analysis
🎯 MITRE ATT&CK Technique Analysis
| Technique | Tactic | Description | Mitigation | Detection |
|---|---|---|---|---|
| T1068 Exploitation for Privilege Escalation |
Privilege Escalation | Uses multiple zero-day exploits for system-level access | Patch management, privilege controls, system hardening | Exploit detection, privilege monitoring, behavioral analysis |
| T1105 Ingress Tool Transfer |
Command and Control | Downloads additional tools and updates for sustained operations | Network monitoring, application control, traffic analysis | Download monitoring, C2 detection, file analysis |
| T1091 Replication Through Removable Media |
Initial Access | Spreads via infected USB drives to breach air-gapped networks | USB controls, device management, network segmentation | USB monitoring, removable media scanning, network analysis |
IM Facilitation Notes:
- Use these techniques to guide player investigation questions
- Help players connect evidence to specific ATT&CK techniques
- Highlight type effectiveness relationships in responses
- Encourage discussion of real-world mitigation strategies
Conficker ⭐⭐⭐ (Legendary)
The Persistent Pandemic
- Signature Ability: Multi-Vector Propagation via network, USB, and email
- Special Attack: Domain Generation Algorithm evading takedown efforts
- Hidden Ability: Botnet Coordination with millions of infected systems
- Evolution: Self-Updating Infrastructure with autonomous capabilities
Understanding Malmon Behavior in Practice
Reading Malmon Cards
Each Malmon you encounter will be presented on a visual card. Here’s how to read the different components:
Card Header and Basic Information
GaboonGrabber
The header shows the malmon’s name, type classification, and threat level (⭐ to ⭐⭐⭐).
Primary Abilities
GaboonGrabber
The primary ability represents the malmon’s core strength and main attack method.
Special Attacks
GaboonGrabber
Special attacks are unique techniques that distinguish this malmon from others of the same type.