Understanding Malmons

What Are Malmons?

Malmons are digital threats represented as creatures with distinct characteristics, behaviors, and capabilities within our cybersecurity education framework. Each Malmon represents a real malware family or attack technique, but thinking of them as creatures with personalities helps teams understand their behavior patterns and develop effective countermeasures through security awareness training methodologies.

Just as a wildlife biologist studies animal behaviors to predict where they’ll go and what they’ll do, cybersecurity professionals study Malmon behaviors to anticipate attack progression and choose appropriate defenses.

Real Threats, Creature Framework

Every Malmon in the collection is based on actual malware families studied by security researchers:

GaboonGrabber represents sophisticated Trojans that mimic legitimate software
WannaCry embodies the rapid-spreading network worms that can paralyze organizations
Stuxnet captures the precision and stealth of nation-state cyber weapons
LockBit demonstrates modern ransomware-as-a-service operations

The creature framework makes these threats more approachable and memorable while maintaining technical accuracy about their real-world behaviors, supporting cybersecurity skills development through our gamified incident response training approach.

The Type System

Every Malmon belongs to one or more types that determine its strengths, weaknesses, and preferred attack methods. Understanding type relationships is crucial for effective incident response.

Primary Types

Trojan-Type Malmons

Characteristics: Masters of deception and disguise

Strengths: Evade traditional security defenses, appear legitimate to users
Common Behaviors: Masquerade as software updates, hide in trusted processes
Weaknesses: Vulnerable to behavioral analysis and runtime monitoring
Examples: GaboonGrabber, FakeBat

Worm-Type Malmons

Characteristics: Rapid network propagation specialists

Strengths: Self-replicating, can spread without user interaction
Common Behaviors: Exploit network vulnerabilities, lateral movement
Weaknesses: Contained by network segmentation and traffic monitoring
Examples: WannaCry, Code Red, Raspberry Robin

Ransomware-Type Malmons

Characteristics: Data hostage specialists

Strengths: High impact through data encryption, direct financial motivation
Common Behaviors: File encryption, demand payments, deadline pressure
Weaknesses: Defeated by comprehensive backup strategies and network isolation
Examples: LockBit, WannaCry (hybrid type)

Rootkit-Type Malmons

Characteristics: Deep system infiltration experts

Strengths: Hide at system level, difficult to detect, maintain persistence
Common Behaviors: Modify system components, evade detection tools
Weaknesses: Exposed by forensic analysis and integrity checking
Examples: Stuxnet (hybrid), advanced persistence mechanisms

APT-Type Malmons (Advanced Persistent Threat)

Characteristics: Long-term stealth operations

Strengths: Patient, sophisticated, well-resourced attacks
Common Behaviors: Slow progression, intelligence gathering, target research
Weaknesses: Vulnerable to threat intelligence and behavioral analysis
Examples: Stuxnet, Noodle RAT, Gh0st RAT

Infostealer-Type Malmons

Characteristics: Data harvesting specialists

Strengths: Targeted data collection, credential theft
Common Behaviors: Monitor user activity, harvest passwords, collect sensitive data
Weaknesses: Defeated by encryption and access controls
Examples: Noodle RAT, PoisonIvy

Type Effectiveness Matrix

Different response strategies work better against specific Malmon types:

Trojan

Weak to: Detection

Resists: Training

Worm

Weak to: Isolation

Resists: Backup

Ransomware

Weak to: Backup

Resists: Encryption

Rootkit

Weak to: Forensics

Resists: Detection

APT

Weak to: Intelligence

Phishing

Weak to: Training

Botnet

Weak to: Coordination

Infostealer

Weak to: Encryption

Hybrid Types

Many advanced Malmons combine characteristics from multiple types:

WannaCry: Worm/Ransomware hybrid with rapid spreading and data encryption
Stuxnet: APT/Rootkit hybrid with nation-state sophistication and deep system access
LitterDrifter: Worm/APT hybrid spreading via USB with geopolitical targeting

Legacy vs Contemporary Malmons

The Malmon collection includes both contemporary threats and Legacy Malmons - historically significant threats that shaped modern cybersecurity practices. Understanding both helps teams learn from the evolution of digital threats.

🕰️ Legacy Malmons

Legacy Malmons represent threats from cybersecurity history (typically 2000-2010) that were revolutionary for their time and established attack patterns still seen today.

Characteristics of Legacy Malmons

Visual Identification: Legacy Malmons are easily identified by their card design:

“LEGACY” Type Prefix: Cards display “LEGACY • WORM/HISTORICAL” instead of just “WORM/HISTORICAL”
Historical Context: Card descriptions reference specific years and historical technology
Evolution Information: Cards explain how the threat has evolved into modern forms
Educational Focus: Emphasis on learning value and pattern recognition

Key Differences from Contemporary Malmons: - Legacy cards teach threat evolution and historical context - Contemporary cards focus on current practical response techniques - Both use identical game mechanics and statistics - Legacy threats often have lower detection scores reflecting historical security limitations

Legacy Malmon Examples

Code Red (2001) - Worm/Historical

LEGACY

Code Red

Worm/Web Server

⭐⭐

Code Red is a pioneering computer worm that emerged in 2001, targeting Microsoft IIS web servers across the internet. Using a buffer overflow vulnerability, it rapidly replicated itself while defacing web pages with pro-China messages. Code Red demonstrated the potential for internet-wide automated attacks and influenced modern worm design principles. At its peak, Code Red infected over 400,000 servers within hours, making it one of the first major internet security incidents.

🔥

Web Server Exploitation

Targets Microsoft IIS web servers via buffer overflow vulnerability

⚡

Rapid Internet Propagation

Self-replicating across internet infrastructure with exponential growth potential

🔮

DDoS Coordination

Infected systems coordinate distributed denial of service attacks

⬆️

Internet Infrastructure Threat

Achieves massive scale with potential to disrupt internet services

💎

Patch Management

Completely prevented by applying Microsoft security updates

🔍3

🔒5

📡10

💣6

🥷4

Property Icons:

🔍Detection

🔒Persistence

📡Spread

💣Payload

🥷Evasion

Historical Impact: First major internet-wide worm, infected 400,000 servers
Innovation: Automated scanning and mass infection without files
Modern Descendants: Web application attacks, API vulnerabilities, cloud breaches
Learning Value: Understanding automated threat propagation principles

Stuxnet (2010) - APT/Rootkit/Historical

Historical Impact: First known cyber weapon targeting industrial control systems
Innovation: Nation-state precision targeting, physical damage from cyber attacks
Modern Descendants: Critical infrastructure attacks, OT security concerns
Learning Value: Understanding sophisticated nation-state capabilities

Gh0st RAT (2009) - APT/Infostealer/Historical

Historical Impact: Popularized remote access trojans for espionage
Innovation: Comprehensive remote control and data exfiltration
Modern Descendants: Modern RATs, advanced persistent threats
Learning Value: Understanding long-term persistent access techniques

Poison Ivy (2005) - APT/Infostealer/Historical

Historical Impact: Established corporate espionage attack patterns
Innovation: Targeted data theft from specific organizations
Modern Descendants: Modern corporate espionage, supply chain attacks
Learning Value: Understanding targeted threat actor methodologies

🆕 Contemporary Malmons

Contemporary Malmons represent current active threats using modern techniques and targeting today’s technology infrastructure.

Contemporary Examples

GaboonGrabber - Modern Trojan/Stealth

GaboonGrabber

Trojan/Stealth

⭐⭐

GaboonGrabber was discovered and named by Lena aka LambdaMamba, and is the first Malmon ever created. Written in .NET, it extracts embedded resources to launch multiple fileless stages. It camouflages itself as legitimate software—even mimicking app code—to avoid detection. Its final stage can deploy threats like Snake Keylogger, AgentTesla, Redline, Lokibot, and more.

🔥

Perfect Mimicry

Appears as legitimate software updates with +3 bonus to social engineering attempts

⚡

Fileless Deployment

Uses process injection and memory-only persistence with +2 bonus against traditional antivirus

🔮

Multi-Payload Delivery

Can deploy Snake Keylogger, AgentTesla, or Redline after 24+ hours of successful infection

⬆️

Advanced Persistent Threat

Gains network lateral movement capabilities and develops custom tools for long-term persistence

💎

Behavioral Analysis

Vulnerable to runtime monitoring and behavioral detection with -3 penalty when defenders use advanced behavioral tools

🔍6

🔒8

📡6

💣7

🥷9

Property Icons:

🔍Detection

🔒Persistence

📡Spread

💣Payload

🥷Evasion

Additional Contemporary Malmons:

LockBit: Current ransomware-as-a-service operations
Raspberry Robin: Modern USB-based propagation techniques
FakeBat: Current malvertising and social engineering

Learning from Both Eras

Historical + Modernization Sessions

Some sessions use Legacy Malmons with a two-phase approach:

Historical Investigation: Experience the threat using period-appropriate technology and knowledge
Collaborative Modernization: Work together to discover how the threat has evolved into current forms

This approach helps teams understand:

Threat Evolution: How attack patterns adapt to new technology
Defensive Evolution: How security practices developed in response
Pattern Recognition: Identifying persistent attack principles across eras
Historical Context: Why current security practices exist

Contemporary-Only Sessions

Most sessions focus on Contemporary Malmons for immediate practical value:

Current Techniques: Learn responses using modern tools and practices
Immediate Application: Skills directly applicable to current work
Modern Context: Scenarios using current technology and business environments

Malmon Abilities and Characteristics

Signature Abilities

Each Malmon has unique capabilities that define its attack patterns:

Primary Abilities

Core strengths that the Malmon excels at:

Perfect Mimicry: Appears identical to legitimate software
Rapid Propagation: Spreads quickly through network vulnerabilities
Deep Persistence: Maintains access through system restarts and updates
Behavioral Camouflage: Blends normal activity patterns to avoid detection

Special Attacks

Unique techniques that distinguish each Malmon:

Fileless Deployment: Operates entirely in memory without disk artifacts
Kill Switch Vulnerability: Can be instantly neutralized if weakness is discovered
Multi-Payload Delivery: Deploys additional threats after establishing foothold
Air Gap Jumping: Spreads between isolated network segments

Hidden Abilities

Capabilities revealed during incidents that surprise response teams:

Command Center Coordination: Controls other Malmons in coordinated attacks
Zero-Day Arsenal: Uses previously unknown vulnerabilities
Cross-Platform Infection: Spreads between different operating systems
Industrial Sabotage: Targets critical infrastructure and physical systems

Threat Levels

Malmons are classified by complexity and potential impact:

⭐ Basic: Straightforward threats with well-understood behaviors
⭐⭐ Intermediate: Sophisticated threats requiring coordinated response
⭐⭐⭐ Advanced: Nation-state level threats with multiple advanced capabilities

Evolution Mechanics

One of the most important Malmon characteristics is their ability to evolve during incidents, gaining new capabilities and becoming more dangerous if not contained quickly.

Evolution Triggers

Malmons attempt to evolve when:

Time Pressure

Teams take too long to identify the threat type
Investigation phase extends without effective containment
Response actions are delayed or poorly coordinated

Environmental Conditions

Network lacks proper segmentation
Systems missing critical security updates
Monitoring coverage has blind spots
Backup systems are inadequate or offline

Failed Containment

Initial response strategies prove ineffective
Malmon successfully evades detection attempts
Team fails to exploit known type weaknesses
Coordination between team members breaks down

Evolution Examples

GaboonGrabber Evolution Chain

Basic Form: Simple Trojan mimicking software updates

Evolves To: Multi-Stage Loader deploying additional payloads
Final Form: Advanced Persistent Threat with network-wide compromise
Trigger: Successful initial infection + 24+ hours without containment

WannaCry Evolution Chain

Basic Form: Ransomware encrypting local files

Evolves To: Network Worm spreading via SMB vulnerabilities
Final Form: Global Pandemic Worm with infrastructure impact
Trigger: Network propagation success + vulnerable target environment

WannaCry ATT&CK Analysis

🎯 MITRE ATT&CK Technique Analysis

Technique	Tactic	Description	Mitigation	Detection
T1566.001 Spearphishing Attachment	Initial Access	Initial infection vector through malicious email attachments	Email security, user training, attachment scanning	Email analysis, attachment behavior monitoring
T1210 Exploitation of Remote Services	Lateral Movement	Uses EternalBlue exploit to spread via SMB vulnerabilities	Patch management, network segmentation, SMB hardening	Network monitoring, exploit detection, vulnerability scanning
T1486 Data Encrypted for Impact	Impact	Encrypts files and demands ransom payment for decryption	Backup systems, file monitoring, user training	File modification monitoring, encryption behavior, ransom notes

IM Facilitation Notes:

Use these techniques to guide player investigation questions
Help players connect evidence to specific ATT&CK techniques
Highlight type effectiveness relationships in responses
Encourage discussion of real-world mitigation strategies

Code Red Evolution Chain

Basic Form: Web Server Worm with simple defacement

Evolves To: DDoS Botnet with coordinated attacks
Final Form: Internet Infrastructure Threat
Trigger: Large-scale propagation + coordination with other instances

Code Red ATT&CK Analysis

🎯 MITRE ATT&CK Technique Analysis

Technique	Tactic	Description	Mitigation	Detection
T1190 Exploit Public-Facing Application	Initial Access	Exploits IIS web server vulnerabilities for initial compromise	Web application firewalls, patch management, server hardening	Web server monitoring, exploit detection, traffic analysis
T1498 Network Denial of Service	Impact	Launches coordinated DDoS attacks against target infrastructure	DDoS protection, traffic filtering, capacity planning	Traffic analysis, bandwidth monitoring, attack pattern recognition
T1105 Ingress Tool Transfer	Command and Control	Downloads additional malware components and updates	Network monitoring, application control, traffic analysis	Download monitoring, C2 detection, file analysis

IM Facilitation Notes:

Use these techniques to guide player investigation questions
Help players connect evidence to specific ATT&CK techniques
Highlight type effectiveness relationships in responses
Encourage discussion of real-world mitigation strategies

Preventing Evolution

Teams can prevent Malmon evolution through:

Rapid identification using type-specific detection methods
Effective containment exploiting known type weaknesses
Coordinated response leveraging each role’s expertise
Environmental hardening addressing vulnerabilities the Malmon requires

Regional Variants

Malmons adapt to different environments, creating regional variants with specialized capabilities:

Industry-Specific Variants

Healthcare Variants

HIPAA-Focused Targeting: Specialized in medical record theft
Clinical System Integration: Understands healthcare workflows
Compliance Evasion: Avoids triggering regulatory monitoring

Financial Variants

PCI-DSS Awareness: Targets payment card data specifically
Banking Protocol Knowledge: Exploits financial system communications
Transaction Manipulation: Capable of altering financial transfers

Industrial Variants

SCADA Integration: Targets industrial control systems
Physical Process Understanding: Can cause real-world damage
Safety System Bypass: Disables critical safety mechanisms

Geographic Variants

Nation-State Variants

Geopolitical Targeting: Focuses on specific countries or regions
Cultural Intelligence: Uses region-specific social engineering
Infrastructure Knowledge: Targets country-specific critical systems

Legendary Malmons

Some Malmons are so sophisticated and impactful they’re classified as Legendary - ultra-rare threats that represent the pinnacle of cyber attack capabilities.

Characteristics of Legendary Malmons

Nation-state development with significant resource investment
Multiple zero-day exploits unknown to the security community
Cross-platform capabilities affecting diverse systems
Physical world impact beyond typical digital damage
Historical significance changing cybersecurity practices

Known Legendary Malmons

Stuxnet ⭐⭐⭐ (Legendary)

The Industrial Saboteur

Signature Ability: Air Gap Jumping via USB propagation
Special Attack: Centrifuge Manipulation targeting uranium enrichment
Hidden Ability: Four Zero-Day Arsenal with coordinated exploitation
Evolution: Global Infrastructure Targeting across critical sectors

Stuxnet ATT&CK Analysis

🎯 MITRE ATT&CK Technique Analysis

Technique	Tactic	Description	Mitigation	Detection
T1105 Ingress Tool Transfer	Command and Control	Downloads additional tools and updates for sustained operations	Network monitoring, application control, traffic analysis	Download monitoring, C2 detection, file analysis
T1068 Exploitation for Privilege Escalation	Privilege Escalation	Uses multiple zero-day exploits for system-level access	Patch management, privilege controls, system hardening	Exploit detection, privilege monitoring, behavioral analysis
T1091 Replication Through Removable Media	Initial Access	Spreads via infected USB drives to breach air-gapped networks	USB controls, device management, network segmentation	USB monitoring, removable media scanning, network analysis

IM Facilitation Notes:

Use these techniques to guide player investigation questions
Help players connect evidence to specific ATT&CK techniques
Highlight type effectiveness relationships in responses
Encourage discussion of real-world mitigation strategies

Conficker ⭐⭐⭐ (Legendary)

The Persistent Pandemic

Signature Ability: Multi-Vector Propagation via network, USB, and email
Special Attack: Domain Generation Algorithm evading takedown efforts
Hidden Ability: Botnet Coordination with millions of infected systems
Evolution: Self-Updating Infrastructure with autonomous capabilities

Understanding Malmon Behavior in Practice

Reading Malmon Cards

Each Malmon you encounter will be presented on a visual card. Here’s how to read the different components:

Card Header and Basic Information

GaboonGrabber

Trojan/Stealth

⭐⭐

🔍5

🔒5

📡5

💣5

🥷5

Property Icons:

🔍Detection

🔒Persistence

📡Spread

💣Payload

🥷Evasion

The header shows the malmon’s name, type classification, and threat level (⭐ to ⭐⭐⭐).

Primary Abilities

GaboonGrabber

Trojan/Stealth

⭐⭐

🔥

Perfect Mimicry

Appears as legitimate software updates with +3 bonus to social engineering attempts

🔍5

🔒5

📡5

💣5

🥷5

Property Icons:

🔍Detection

🔒Persistence

📡Spread

💣Payload

🥷Evasion

The primary ability represents the malmon’s core strength and main attack method.

Special Attacks

GaboonGrabber

Trojan/Stealth

⭐⭐

⚡

Fileless Deployment

Uses process injection and memory-only persistence with +2 bonus against traditional antivirus

🔍5

🔒5

📡5

💣5

🥷5

Property Icons:

🔍Detection

🔒Persistence

📡Spread

💣Payload

🥷Evasion

Special attacks are unique techniques that distinguish this malmon from others of the same type.

Hidden Abilities and Weaknesses

GaboonGrabber

Trojan/Stealth

⭐⭐

🔮

Multi-Payload Delivery

Can deploy Snake Keylogger, AgentTesla, or Redline after 24+ hours of successful infection

💎

Behavioral Analysis

Vulnerable to runtime monitoring and behavioral detection with -3 penalty when defenders use advanced behavioral tools

🔍5

🔒5

📡5

💣5

🥷5

Property Icons:

🔍Detection

🔒Persistence

📡Spread

💣Payload

🥷Evasion

Hidden abilities are revealed during incidents, while weaknesses show how to effectively counter the malmon.

MITRE ATT&CK Technique Analysis

🎯 MITRE ATT&CK Technique Analysis

Technique	Tactic	Description	Mitigation	Detection
T1057 Process Discovery	Discovery	Identifies running processes to understand system state and security tools	Process monitoring, system hardening, security tool protection	Process enumeration monitoring, security tool alerting
T1041 Exfiltration Over C2 Channel	Exfiltration	Sends collected data to attacker-controlled servers via command and control channels	Network monitoring, egress filtering, traffic analysis	Network traffic analysis, C2 communication patterns, data flow monitoring
T1566.001 Spearphishing Attachment	Initial Access	GaboonGrabber spreads via convincing phishing emails with malicious attachments	Email security controls, user training, attachment scanning	Email analysis, attachment behavior monitoring, user reporting
T1055 Process Injection	Defense Evasion	Injects malicious code into legitimate processes to hide execution	Process monitoring, memory protection, behavioral analysis	Process behavior monitoring, memory analysis, API monitoring
T1547.001 Registry Run Keys/Startup Folder	Persistence	Establishes persistence through registry modifications and startup mechanisms	Registry monitoring, startup item control, system hardening	Registry monitoring, startup enumeration, persistence scanning
T1005 Data from Local System	Collection	Collects sensitive data from infected systems for exfiltration	Data loss prevention, access controls, file monitoring	File access monitoring, data collection patterns, DLP alerts
T1204.002 Malicious File	Execution	Users execute the malicious payload believing it to be a legitimate software update	Application control, user education, execution policy	Process monitoring, execution logging, behavioral analysis
T1083 File and Directory Discovery	Discovery	Enumerates files and directories to identify valuable data for collection	File system monitoring, access controls, principle of least privilege	File access monitoring, unusual enumeration patterns, audit logs
T1027 Obfuscated Files or Information	Defense Evasion	Uses obfuscated .NET code and encrypted payloads to evade detection	Code analysis tools, behavioral detection, sandboxing	Static analysis, entropy analysis, deobfuscation tools

IM Facilitation Notes:

Use these techniques to guide player investigation questions
Help players connect evidence to specific ATT&CK techniques
Highlight type effectiveness relationships in responses
Encourage discussion of real-world mitigation strategies

Applying Type Knowledge

When your team encounters a Trojan-type Malmon like GaboonGrabber:

Effective Strategies:

Focus on behavioral analysis rather than signature detection
Examine process behavior and memory usage patterns
Interview users about recent software installations
Check for unsigned or suspicious executables

Less Effective Strategies:

Relying solely on antivirus signatures
Network-based containment (Trojans often operate locally)
Simple file-based detection (may miss fileless variants)

Team Coordination:

Detective: Analyze execution artifacts and user reports
Protector: Deploy behavioral monitoring tools
Tracker: Monitor for unusual outbound communications
Communicator: Investigate social engineering vectors

Building Your Malmon Knowledge

The Learning Process

Understanding Malmons develops through:

Direct Encounters during incident response sessions
Team Discussions about effective and ineffective strategies
Community Sharing of successful response techniques
MalDex Documentation capturing lessons learned
Cross-Training with teammates who have different expertise

Developing Type Intuition

With experience, you’ll develop intuitive understanding of: - Which response strategies work best against specific types - How to recognize type characteristics from initial symptoms - When Malmons are likely to attempt evolution - How different types interact in hybrid or coordinated attacks

Remember: Types Are Tools, Not Rules

The type system helps you think systematically about threats and responses, but real incidents often involve unique circumstances. Use type knowledge as a starting point, but always adapt to the specific situation your team faces.

In the next chapter, we’ll explore how different incident response roles approach Malmon encounters, and how your chosen role shapes your contribution to the team’s success.