FakeBat - Innovation Hub Coworking Crisis

Shared Workspace Under Multiple Client Deadline Pressure

Malware & Monsters

2025-12-04

Welcome to Malware & Monsters!

What You’re About to Experience

You’re part of Innovation Hub’s network operations team, managing a security incident affecting 120 independent freelancers sharing your coworking workspace—all with critical client deadlines Monday morning.

Your Mission

Investigate and contain a malware outbreak across the shared network while protecting freelancer client projects, maintaining professional services, and restoring systems before 120 separate business deadlines.

Quick Start for Incident Managers

New to facilitating Malware & Monsters? Start here:

IM Quick Start Guide - Everything you need to run this scenario in one concise document

The Hook

Friday Afternoon, 4:15 PM - Weekend Before Monday Chaos

Your coworking space is buzzing with freelancer activity. 120 independent professionals are preparing weekend work to meet Monday client deadlines:

• Web designers finishing client website launches
• Software developers deploying code to production
• Marketing consultants delivering campaign materials
• Legal professionals submitting court documents
• Business consultants presenting strategic plans

Then your Network Administrator bursts into your office:

Carlos’s Emergency Report

“We have a serious network problem. Freelancers are reporting browser issues and weird software installations. They’ve been downloading ‘collaboration tools,’ ‘project management software,’ ‘productivity enhancers’—all fake. The shared network is compromised.”

Initial Observations

• Browser behavior: Redirects during client communications
• Advertisements: Persistent popups interfering with billable work
• Fake software: “WorkSync Pro,” “FreelanceTools,” “ClientConnect,” “ProjectBoost”
• Member complaints: “My client presentation won’t load,” “These ads are unprofessional”
• Network impact: “If one member’s system is compromised, our shared network affects everyone”

120 independent businesses, 120 Monday deadlines, 48 hours to fix everything.

Organization Context

Innovation Hub: Professional Community Under Multi-Tenant Pressure

Organization Profile

• Type: Freelancer coworking space and professional community
• Members: 120 independent professionals across diverse industries
• Services: Shared workspace, high-speed network, meeting rooms, professional events
• Business Model: Monthly memberships ($300-600), day passes, meeting room rentals
• Technology: Shared high-performance network, centralized WiFi, collaborative tools

Member Professional Diversity

Industries Represented:

• Creative: Web designers, graphic designers, photographers, videographers
• Technology: Software developers, UX designers, IT consultants, cybersecurity specialists
• Business: Marketing consultants, business strategists, financial advisors
• Legal: Attorneys, paralegals, compliance consultants
• Other: Writers, researchers, educators, nonprofit coordinators

Current Critical Context

Monday Client Deadline Cascade:

• Web Designer: Launching e-commerce site for major retail client ($50K project)
• Software Developer: Deploying healthcare application to production (regulatory deadline)
• Marketing Consultant: Presenting campaign strategy to Fortune 500 client
• Attorney: Filing court documents (statutory deadline, no extensions)
• Business Strategist: Delivering merger analysis to corporate client

Shared Network Architecture

• Multi-Tenant Environment: All 120 freelancers share network infrastructure
• Professional Requirements: High reliability, secure client communications, data protection
• Member Device Diversity: Personal laptops, varied operating systems, different security postures
• Reputation Dependency: Workspace brand built on reliable professional environment

Initial Symptoms

What You’re Seeing - Friday Afternoon

Network & System Behavior

• Browser Redirections: Automatic redirects during client email and video calls
• Advertisement Injection: Persistent popups appearing during professional work
• Performance Degradation: Network slowdowns affecting all members
• Unexpected Software: Unfamiliar programs on member devices

Freelancer-Installed Fake Software

Members report downloading programs that appeared necessary for client work:

1. “WorkSync Pro” - Claimed to optimize remote collaboration
2. “FreelanceTools” - “Essential utilities for independent professionals”
3. “ClientConnect” - Appeared to enhance client communication security
4. “ProjectBoost” - Promised project management efficiency
5. “ProfessionalSuite” - Collection of “must-have” freelancer applications

Member Reports

• “ClientConnect said it would protect my client communications—did I compromise their data?”
• “I’m on a video call with a $100K client and ads keep popping up. This is embarrassing.”
• “My project management software stopped working after installing FreelanceTools”
• “I need the network reliable for Monday’s client deliverable—my business depends on it”

Multi-Tenant Network Concern

Carlos (Network Admin) reports: “Shared network architecture means one member’s compromised device can affect everyone. If we have widespread infections, the entire professional community is at risk. And we can’t just shut down—120 businesses are working here this weekend.”

NPCs: Your Key Contacts

People Who Need Your Help

Jennifer Wilson - Workspace Manager

What They Care About: Member retention, workspace reputation, professional environment quality, business sustainability

Current State: Worried about member exodus if network unreliable, managing workspace brand during security crisis

Helpful For: Business context, member relationship dynamics, workspace operations, community trust management

Potential Barrier: May resist network disruption affecting all 120 members simultaneously

Carlos Martinez - Network Administrator

What They Care About: Network security, shared infrastructure reliability, technical architecture integrity

Current State: Investigating multi-tenant network compromise, realizing shared workspace security complexity

Helpful For: Technical investigation, network architecture, remediation strategies, multi-tenant security challenges

Potential Barrier: Overwhelmed by scale (120 independent businesses with different needs)

Diana Foster - Community Manager

What They Care About: Member satisfaction, professional community health, workspace culture, individual member success

Current State: Managing member anxiety and frustration, coordinating diverse freelancer needs, worried about workspace trust

Helpful For: Member communication, community dynamics, freelancer business understanding, relationship building

Potential Barrier: May prioritize maintaining member comfort over security thoroughness

Robert Chen - Member Services Coordinator

What They Care About: Individual freelancer business success, client work support, service quality delivery

Current State: Addressing impact across diverse professions, coordinating 120 different business continuity needs

Helpful For: Professional diversity understanding, client obligation awareness, member business impact assessment

Potential Barrier: May struggle to balance 120 individual member needs with collective security requirements

NPC Hidden Agendas

Character Secrets & Development Arcs

Jennifer Wilson - Workspace Manager

Hidden Agenda: Competing coworking space is poaching members—any service disruption could trigger mass exodus

Secret Fear: Network unreliability will give competing workspace marketing ammunition, destroying Innovation Hub’s professional brand

Character Arc:

• Initial: “We cannot disrupt the network—members will leave for CompeteSpace down the street”
• Mid-Game: Realizes transparent handling and effective resolution strengthen member loyalty
• Resolution: Understands workspace community built on trust, not just uninterrupted service

Roleplay Notes: Start fixated on avoiding disruption, gradually recognize that demonstrating competent security response builds professional confidence

Carlos Martinez - Network Administrator

Hidden Agenda: Recommended shared network architecture over segmented approach to reduce costs—now questioning that decision

Secret Doubt: Wondering if cheaper network design created vulnerability affecting 120 businesses

Character Arc:

• Initial: Defensive about network architecture decisions, focused on quick fixes
• Mid-Game: Proposes network segmentation enhancements, recognizes multi-tenant security needs
• Resolution: Designs improved architecture balancing cost, usability, and security for professional environment

Roleplay Notes: Transform from defensive to innovative as team demonstrates focus on solution, not blame

Diana Foster - Community Manager

Hidden Agenda: Several high-value members threatened to leave if “tech problems” continue—losing them costs $15K/year revenue

Secret Pressure: Workspace owner pressuring her to prevent member departures at all costs

Character Arc:

• Initial: “We need to fix this quietly without alerting members—can’t risk departures”
• Mid-Game: Learns transparent communication and member involvement builds community strength
• Resolution: Understands professional community values competence over perfection

Roleplay Notes: Use her to explore tension between hiding problems vs transparent handling in professional communities

Robert Chen - Member Services Coordinator

Hidden Agenda: Knows several freelancers face business-critical Monday deadlines—one developer’s healthcare app has regulatory consequences if delayed

Secret Knowledge: Specific member impact details that make general remediation insufficient—needs targeted support

Character Arc:

• Initial: “Each member has unique client obligations—one-size remediation won’t work”
• Mid-Game: Helps team prioritize critical business needs while maintaining collective security
• Resolution: Develops member-specific support framework within broader security response

Roleplay Notes: Use him to highlight professional diversity challenge and need for flexible remediation approaches

The Complete Technical Picture

What’s Really Happening - FakeBat Coworking Attack

Attack Timeline

Monday-Wednesday (Previous Week): Freelancers targeted by productivity-focused malware campaigns on remote work forums and freelance community sites

Tuesday, Various Times: Initial FakeBat installations across member devices via fake freelancer productivity software

Wednesday-Thursday: FakeBat establishes browser hijacking on individual systems, begins shared network reconnaissance

Thursday Evening: Shared network mapping identifies high-value member client data

Friday, 2:00 PM: Browser redirections and advertisements become noticeable across multiple members

Friday, 4:15 PM (Current): Carlos confirms widespread compromise affecting shared network

Technical Mechanisms

Initial Access:

• Attack Vector: Fake freelancer productivity software (WorkSync Pro, FreelanceTools, ClientConnect, ProjectBoost)
• Social Engineering: Exploited independent contractor needs for professional tools and collaboration efficiency
• Delivery Method: Targeted ads on freelance forums, fake reviews on remote work communities, sponsored posts in freelancer groups
• User Behavior: Freelancers routinely download productivity tools to enhance client work without corporate IT vetting

Shared Network Exploitation:

• Multi-Tenant Reconnaissance: FakeBat mapping shared network to identify all connected devices
• Lateral Movement Preparation: Exploiting shared network trust to access other members’ systems
• Client Data Identification: Targeting valuable freelancer client projects across diverse industries
• Network Performance Impact: Bandwidth consumption affecting all 120 workspace members

Browser Hijacking & Data Harvesting:

• Browser homepage modifications to advertising networks
• Search engine redirection during client research
• Injected advertisements during video calls and presentations
• Keystroke logging targeting client credentials and project files

Staged Secondary Payloads:

• Stage 1 (Completed): Browser hijacking and ad injection
• Stage 2 (In Progress): Client project file reconnaissance across member devices
• Stage 3 (Pending Sunday Evening): Information stealer activation targeting:
  • Client credentials (email, project management tools, collaborative platforms)
  • Project files (designs, code, documents, presentations)
  • Professional data (contracts, proposals, client communications)

Current Threat Status

Immediate Danger: Compromised devices on shared network affecting all 120 workspace members

Escalating Risk: Client data at risk across diverse industries (HIPAA healthcare data, legal privileged communications, proprietary business information)

Critical Threat: Information stealer Sunday 8 PM activation—would harvest client projects and credentials 12 hours before Monday deadlines

Multi-Tenant Impact: One member’s compromise affects shared network reliability for entire professional community

Attack Objective: Intellectual property theft, client credential harvesting, professional data sale on dark web markets

Investigation Progress Tracking

Session Worksheet - Mark Progress as Team Discovers

Round 1: Discovery Phase

Malmon Identification:

• Team recognizes freelancer-targeted fake productivity software pattern
• Team identifies browser hijacking mechanisms
• Team discovers shared network compromise scope
• Team analyzes freelancer download behavior and professional tool trust
• Team recognizes FakeBat downloader signatures

Initial Containment Actions:

• Sample member device analysis
• Fake software behavioral examination
• Shared network traffic monitoring
• Multi-tenant impact assessment

Key Discovery: Freelancer productivity tool trust and shared network architecture created multi-tenant vulnerability

Round 2: Investigation Phase

Scope Assessment:

• Team confirms shared network compromise affecting 120 members
• Team discovers client data at risk across diverse industries
• Team identifies information stealer timeline (Sunday 8 PM activation)
• Team recognizes Monday deadline cascade (120 separate business deadlines)
• Team assesses multi-tenant network architecture challenges

Stakeholder Management:

• Communication with Jennifer about workspace disruption vs member protection
• Coordination with Carlos on network segmentation and remediation strategies
• Member communication planning with Diana
• Individual business impact assessment with Robert

Critical Decision Point: Team must decide between network lockdown vs selective remediation, member-by-member support vs collective approach, Monday deadline protection vs security thoroughness

Round 3: Response Phase

Remediation Actions Chosen:

• Network segmentation implementation vs continued shared architecture
• Member education program deployment
• Workspace system reset strategy
• Client data protection measures
• Monday deadline support approach

Response Effectiveness:

• Type-effective approaches used (Network Segmentation +3, Member Education +3, Workspace Reset +2)
• Moderately effective approaches (Member Device Isolation +1, Network Monitoring +1)
• Ineffective approaches avoided (Individual Member Support -1, Trusting Productivity Software -2)

Outcome Assessment:

• FakeBat completely removed from shared network
• Freelancer client projects and data protected
• Monday deadlines met successfully
• Multi-tenant security architecture improved

Debrief Discussion Points

Technical Learning:

• How does shared workspace multi-tenancy differ from corporate network security?
• Why is network segmentation more effective than individual device cleanup?
• What freelancer-specific malware delivery methods did attackers exploit?

Collaboration Insights:

• How did team balance 120 individual business needs with collective security?
• What communication strategies worked for diverse professional community?
• How did team manage workspace reputation during security crisis?

Reflection Questions:

• “How do coworking spaces create unique security architecture challenges?”
• “What would you design for shared workspace security balancing individual business flexibility with collective protection?”
• “How can security response strengthen rather than damage professional community trust?”

Type Effectiveness Matrix

FakeBat (Downloader/Social) - Response Effectiveness

Highly Effective (+3 Bonus)

Network Segmentation:

• Isolates compromised devices from shared infrastructure
• Protects uninfected members from lateral movement
• Enables targeted remediation without disrupting entire community
• Why Effective: Multi-tenant architecture requires collective protection—segmentation contains threat while maintaining service

Member Education Program:

• Teaches freelancers to recognize fake productivity software
• Provides professional tool vetting guidance
• Builds ongoing shared security culture
• Why Effective: Prevents social engineering reinfection by addressing freelancer behavior patterns

Moderately Effective (+2 Bonus)

Workspace System Reset:

• Restores compromised member devices to clean state
• Implements consistent security baseline
• Removes malware variants
• Why Effective: Addresses immediate infection but requires education to prevent recurrence

Client Data Protection:

• Enhanced monitoring of client project access
• Credential rotation for professional tools
• Secure backup verification
• Why Effective: Protects critical professional assets but doesn’t remove malware from devices

Somewhat Effective (+1 Bonus)

Member Device Isolation:

• Quarantines individual compromised systems
• Prevents further spread
• Maintains network availability for clean devices
• Why Effective: Useful containment but doesn’t scale well across 120 independent professionals

Network Monitoring:

• Enhanced visibility into shared network traffic
• Early detection of malicious behavior
• Lateral movement identification
• Why Effective: Provides awareness but doesn’t remove existing infections

Neutral Effectiveness (No Bonus)

Antimalware Deployment:

• Scanning tools detect some FakeBat variants
• Removes known signatures
• Provides ongoing protection
• Why Neutral: Useful supplemental tool but insufficient alone for downloader constantly fetching new payloads

Ineffective (-1 or -2 Penalty)

Individual Member Support (-1):

• Manually assisting each of 120 freelancers separately
• Inconsistent remediation across diverse devices
• Labor-intensive with limited workspace resources
• Why Ineffective: Scale makes individual approach impractical—collective solutions required for shared workspace

Trusting Productivity Software (-2):

• Continuing to allow unvetted software installations
• Assuming freelancers will make secure choices
• No verification or approval systems
• Why Ineffective: Social engineering exploits professional tool trust—without addressing behavior, reinfection inevitable

Delaying Remediation (-2):

• Postponing cleanup until after Monday deadlines
• Allowing information stealer Sunday activation
• Risking 120 businesses’ client data
• Why Ineffective: Information stealer activation would create mass data breach affecting diverse client relationships and professional livelihoods

Facilitator Notes

If team is stuck:

• Carlos can propose network segmentation vs individual cleanup trade-offs
• Jennifer can share workspace reputation and member retention concerns
• Diana can clarify member communication and community dynamics
• Robert can highlight specific freelancer business impact and deadline diversity

If team rushes to conclusions:

• Emphasize 120-member scale challenge and professional diversity
• Introduce information stealer Sunday activation deadline
• Present competing workspace poaching pressure
• Highlight specific critical Monday deadlines (healthcare regulatory, legal filing, major client launches)

Common mistakes to address:

• Attempting individual member support instead of collective network approach
• Ignoring member education (reinfection will occur)
• Network lockdown without considering 120 business continuity needs
• Silent remediation without transparent community communication

Round 1: Discovery Phase

Investigation & Initial Findings

Starting Information

What Team Knows:

• Multiple freelancer reports of browser issues and unexpected software
• Fake productivity tools identified on sample member devices
• 120 total workspace members across diverse professions
• Shared network architecture connecting all members
• Multiple Monday client deadlines across different industries

Available Actions:

• Interview affected freelancers and workspace staff
• Analyze fake software behavior and installation sources
• Check compromise scope across shared network
• Review network architecture and multi-tenant design
• Research freelancer-targeted malware delivery vectors

Investigation Challenges

Fake Software Analysis (DC 10):

• Success: Identify FakeBat downloader signatures in fake freelancer productivity tools
• Critical Success: Discover shared network reconnaissance behavior, trace delivery to freelance community forums, identify staged secondary payloads

Shared Network Assessment (DC 12):

• Success: Map compromise scope across multi-tenant environment
• Critical Success: Understand lateral movement risks, identify client data exposure across diverse industries, recognize Sunday information stealer activation

Professional Impact Analysis (DC 15):

• Success: Assess Monday deadline cascade affecting 120 businesses
• Critical Success: Identify critical deadlines with severe consequences (regulatory, legal, major client), understand diverse client data protection obligations

Key Discovery Moments

The Freelancer Productivity Trust Exploitation:

When team investigates how infections spread:

“Freelancers are independent professionals constantly seeking tools to enhance client work and competitive advantage. Software promising ‘collaboration efficiency,’ ‘project management,’ and ‘professional productivity’ bypasses skepticism because these tools are perceived as business necessities. Unlike corporate employees with IT departments vetting software, freelancers make independent decisions—and attackers exploit that professional autonomy.”

The Multi-Tenant Vulnerability:

When Carlos explains shared network architecture:

“Our network design prioritizes collaboration and professional community—all 120 members share infrastructure for cost efficiency and ease of use. But that means one member’s compromised device can affect everyone. We built a professional workspace, but we created a single network where individual security becomes collective vulnerability.”

The Business Diversity Challenge:

When Robert maps member impact:

“We have 120 completely different businesses here. A web designer’s Monday deadline is an e-commerce launch affecting their client’s retail sales. A healthcare developer’s deadline is a regulatory requirement with legal consequences. An attorney’s filing is a statutory deadline—courts don’t grant extensions. We can’t just ‘delay everything’—each member has unique client obligations and professional stakes.”

The Malmon Identity:

When team pieces together attack pattern:

“This is FakeBat—a Downloader/Social malmon that exploits freelancer productivity tool trust to establish browser hijacking, then leverages shared workspace network architecture to reconnaissance client data across diverse professional industries.”

Round 1 Conclusion

What Team Should Discover:

1. Attack Vector: Fake freelancer productivity software exploiting professional tool trust
2. Malmon Identity: FakeBat (Downloader/Social)
3. Infection Scope: Shared network compromise affecting 120 member environment
4. Current Activity: Browser hijacking, shared network reconnaissance, client data targeting
5. Critical Context: Multi-tenant architecture vulnerability, professional diversity, Monday deadline cascade

Stakeholder Reactions:

• Jennifer (Workspace Manager): Worried about member exodus to competing coworking space
• Carlos (Network Admin): Questioning shared network architecture decisions, proposing segmentation
• Diana (Community Manager): Managing member anxiety and maintaining workspace community trust
• Robert (Member Services): Identifying critical business deadlines and diverse client obligations

Transition to Round 2:

“You’ve identified FakeBat across the shared network and understand the multi-tenant challenge. But as Carlos analyzes the malware staging, he discovers something alarming: An information stealer is scheduled to activate Sunday evening at 8 PM—12 hours before your members’ Monday deadlines. It’s configured to harvest client projects, professional credentials, and proprietary data across all 120 independent businesses. The question now becomes: How do you protect 120 different professional livelihoods while restoring a shared network infrastructure?”

Round 2: Investigation Phase

Scope Assessment & Critical Decisions

Expanded Investigation Findings

Information Stealer Discovery:

• Activation Schedule: Sunday 8 PM (36 hours from now, 12 hours before Monday deadlines)
• Target Data: Client projects (designs, code, documents), professional credentials (email, project management), proprietary information
• At-Risk Industries: Healthcare (HIPAA data), legal (privileged communications), business (confidential strategies), creative (intellectual property)
• Scope: All 120 workspace members potentially exposed

Critical Monday Deadline Examples:

• Healthcare App Developer: Regulatory deployment deadline (federal requirement, no extension possible)
• Attorney: Court filing deadline (statutory requirement, missing it jeopardizes client case)
• Web Designer: E-commerce launch ($50K project, client retail sales begin Monday)
• Marketing Consultant: Fortune 500 presentation (rescheduling means losing $200K contract)
• Business Strategist: Merger analysis delivery (time-sensitive corporate decision)

Competing Workspace Threat:

Diana reports: “CompeteSpace down the street has been poaching our members. They’re sending emails highlighting our ‘reliability issues.’ If we disrupt the network this weekend or if members discover security problems, we could lose 30% of our community—and they’re targeting our highest-value professionals.”

Stakeholder Pressure Intensifies

Jennifer Wilson (Workspace Manager):

“We have two options: Emergency network lockdown affecting all 120 members this weekend, or targeted remediation maintaining service. If we lock down, we’ll lose members to CompeteSpace. But if we don’t address this completely, we’re exposing 120 businesses to data theft. Which matters more—our workspace survival or member security?”

Present choice: Network disruption vs selective remediation

Carlos Martinez (Network Administrator):

“I can implement network segmentation—isolate compromised devices, protect clean systems, enable targeted cleanup without disrupting everyone. It’ll take 24 hours to deploy properly. Or I can do emergency antimalware scans across the shared network this weekend—faster but less effective. Segmentation is the right solution, but it means some members can’t work Saturday.”

Present choice: Comprehensive architecture improvement vs quick fixes

Diana Foster (Community Manager):

“How do we communicate this to 120 independent professionals? If we send a mass email about security problems, we’ll create panic and CompeteSpace will exploit it. But if we handle it quietly and members discover we hid client data risks, we’ll destroy community trust. What’s worse—transparency that might trigger departures or secrecy that definitely destroys trust if discovered?”

Present choice: Transparent member communication vs quiet remediation

Robert Chen (Member Services):

“Each member has unique needs. The healthcare developer needs specific data protection guidance for HIPAA compliance. The attorney needs confirmation their privileged communications are secure. The web designer needs weekend access to finish their launch. We can’t treat 120 different businesses as a single remediation problem—but we also can’t provide 120 individualized solutions. How do we balance collective security with individual business needs?”

Present choice: One-size remediation vs member-specific support

The Sunday Deadline

Critical Timeline Update:

“It’s now Friday, 6:00 PM—38 hours until information stealer activation, 62 hours until Monday deadlines. Your remediation must:

1. Remove FakeBat from shared network (requires network segmentation or lockdown)
2. Prevent Sunday evening information stealer (deadline: Sunday 8 PM)
3. Restore reliable service for Monday work (deadline: Monday 8 AM)
4. Protect 120 different client relationships (diverse professional obligations)

Option A: Network Segmentation (24-hour deployment)

• Comprehensive solution isolating compromised devices
• Some members offline Saturday, all clean by Sunday morning
• Prevents reinfection through architectural improvement
• Monday deadlines met with secured infrastructure

Option B: Emergency Scan & Cleanup (12-hour execution)

• Fast antimalware deployment across shared network
• Maintains weekend access for all members
• Less effective against downloader, reinfection risk high
• Monday deadlines met but security vulnerability persists

Option C: Critical Member Priority (Hybrid)

• Identify 20 critical Monday deadline members
• Provide dedicated cleanup and isolated network access
• Remaining 100 members use shared network this weekend
• Deploy comprehensive segmentation solution post-Monday
• Protects highest-stakes deadlines but leaves others vulnerable

“Which approach balances 120 business continuity needs with professional data protection?”

Investigation Challenges

Information Stealer Analysis (DC 12):

• Success: Identify activation timeline and target data scope across industries
• Critical Success: Map specific client data at risk, understand diverse compliance requirements (HIPAA, legal privilege, proprietary business data)

Network Segmentation Planning (DC 15):

• Success: Design multi-tenant architecture balancing security and usability
• Critical Success: Create member-specific solutions within collective framework, enable professional flexibility with shared protection

Community Communication (DC 18):

• Success: Transparent member notification maintaining workspace trust
• Critical Success: Position security response as demonstrating workspace competence, strengthen professional community through honest handling

Round 2 Conclusion

What Team Must Decide:

1. Network Strategy: Segmentation vs emergency scans vs hybrid approach
2. Member Communication: Transparent vs selective vs silent
3. Business Support: Collective vs individualized vs tiered approach
4. Timeline Priority: Comprehensive solution vs Monday deadlines vs balanced risk

The Central Tension:

Shared workspace architecture created efficiency and community—now that same multi-tenant design pressures team to choose between collective security and individual business continuity.

Transition to Round 3:

“You have complete technical information about FakeBat’s timeline and multi-tenant impact. The question now is: What kind of professional workspace do you want to be? One that prioritizes uninterrupted service over member data protection? Or one that demonstrates security competence even when it requires temporary disruption?”

Round 3: Response Phase

Critical Response Decision

The Situation

Technical Status:

• FakeBat downloader across shared network
• Client project reconnaissance in progress
• Information stealer activating Sunday 8 PM (38 hours)
• 120 freelance businesses affected
• Shared network architecture enabling lateral movement

Stakeholder Positions:

• Jennifer (Workspace Manager): Worried member disruption triggers exodus to competing workspace
• Carlos (Network Admin): Recommends network segmentation (24-hour deployment, Saturday disruption)
• Diana (Community Manager): Wants transparent communication without creating panic
• Robert (Member Services): Advocates balancing collective security with individual business needs

Timeline Pressure:

• Information stealer activation: 38 hours
• Monday deadlines: 62 hours (120 separate business deadlines)
• Weekend work period: Now through Sunday evening
• Current time: Friday 6:00 PM

Response Option Paths

Path A: Professional Community Priority (Network Segmentation)

Actions:

• Immediate member notification about security incident and response plan (Friday evening)
• Network segmentation deployment starting Saturday morning (24 hours)
• Compromised device isolation with dedicated cleanup support
• Clean devices maintain network access on secured segment
• Member education program launch about productivity software vetting
• Monday-ready secured infrastructure

Consequences:

• Saturday disruption for compromised member devices (approximately 40 members offline)
• Remaining 80 members work on secured network segment
• Transparent handling builds community trust
• Information stealer prevented from activation
• Monday deadlines met on secured, segmented network
• Outcome: Short-term Saturday disruption, long-term professional workspace reputation as security-competent community

Type Effectiveness: Network Segmentation +3, Member Education +3, Workspace Reset +2, Client Data Protection +2

DC Requirements: Network segmentation (DC 15), Member communication (DC 18), Critical deadline support (DC 12)

Path B: Business Continuity Balance (Hybrid Approach)

Actions:

• Identify 20 critical Monday deadline members (healthcare regulatory, legal filing, major client launches)
• Provide dedicated cleanup and isolated network access Friday-Saturday
• Emergency antimalware deployment across remaining shared network
• Information stealer prevention across all systems
• Transparent targeted communication (critical members + general advisory)
• Full segmentation deployment Monday-Wednesday post-deadline

Consequences:

• Critical business deadlines protected with dedicated support
• Remaining members use partially secured shared network
• Information stealer prevented from activation
• Comprehensive segmentation deployed after immediate crisis
• Balanced member impact with targeted criticality-based support
• Outcome: Monday deadlines met across all members, security improved incrementally, professional relationships maintained

Type Effectiveness: Network Segmentation +3 (post-deadline), Client Data Protection +2, Member Education +3, Network Monitoring +1

DC Requirements: Critical member identification (DC 12), Hybrid deployment (DC 15), Tiered communication (DC 15)

Path C: Service Continuity Priority (Minimal Disruption)

Actions:

• Emergency antimalware scans Friday night
• No network disruption or member notification
• Continue shared network operations through weekend
• Delayed comprehensive cleanup until Monday evening
• Information stealer activates Sunday 8 PM (accepted risk)

Consequences:

• Information stealer harvests client projects across 120 businesses Sunday evening
• Healthcare HIPAA data stolen, legal privileged communications exposed, proprietary business strategies compromised
• Monday work proceeds using stolen client data
• Data breach notification required across diverse industries
• Members discover nondisclosure, professional trust destroyed
• Competing workspace exploits breach in marketing: “Security matters—switch to CompeteSpace”
• Mass member exodus, workspace reputation collapse
• Outcome: Weekend service maintained but professional community destroyed, 120 businesses affected by data breach, workspace closure risk

Type Effectiveness: Individual Support -1, Trusting Productivity Software -2, Delaying Remediation -2 (ineffective approaches compound catastrophic failure)

DC Requirements: All DCs increased +5 due to multi-business data breach, professional community collapse, workspace closure risk

Response Execution Challenges

Network Segmentation Deployment (DC 15):

• Success: Multi-tenant architecture secures shared infrastructure while maintaining professional services
• Failure: Poor segmentation implementation disrupts business continuity without security benefit

Member Communication (DC 18 for full transparency, DC 15 for targeted):

• Success: Honest communication maintains professional community trust despite incident
• Failure: Poor communication creates panic, defensive posture damages workspace credibility

Critical Deadline Support (DC 12):

• Success: Individualized support for high-stakes deadlines within collective security framework
• Failure: One-size approach fails diverse professional needs, members miss critical client obligations

Community Trust Management (DC 20):

• Success: Security response demonstrates workspace competence, strengthens member loyalty
• Failure: Response perceived as prioritizing workspace over member businesses, trust collapse

Outcome Determination

Victory Conditions Met:

1. FakeBat completely removed from shared network
2. Client projects and data protected across 120 businesses
3. Monday deadlines met successfully
4. Network architecture improved with segmentation
5. Professional community trust maintained or strengthened

Partial Success:

• Malware removed but architecture unchanged (reinfection likely)
• Monday deadlines met but member trust damaged by poor communication
• Segmentation deployed but excessive disruption harms member relationships

Failure:

• Information stealer activates, 120 businesses’ client data stolen
• Data breach affects diverse industries (HIPAA violations, legal privilege breaches, IP theft)
• Members discover nondisclosure, professional credibility destroyed
• Competing workspace exploits security failure
• Mass member exodus, workspace revenue collapse
• Professional community destroyed, business closure

Round 3 Conclusion

Success Narrative Example (Path A or B):

“By Saturday morning, network segmentation is deploying. You’ve communicated transparently with all 120 members about the security incident and your response plan. Some members appreciate the honesty—several specifically mention trusting a workspace that ‘doesn’t hide problems.’

“Sunday evening, all compromised devices are clean and operating on secured network segments. The information stealer never activates—client data is protected. Monday morning, 120 freelancers successfully meet their deadlines using secured infrastructure.

“Over the following weeks, several members mention the incident to prospective freelancers considering Innovation Hub. They describe it as ‘the workspace that handled a security problem transparently and professionally’—exactly the competence independent professionals value. CompeteSpace’s poaching attempts fail because your community trusts your security response. Innovation Hub becomes known as the professional workspace that chose member protection over convenient secrecy.”

Failure Narrative Example (Path C):

“The weekend proceeds normally. Members work uninterrupted. Sunday 8 PM, the information stealer activates across 120 compromised devices, harvesting client projects, professional credentials, and proprietary data.

“Monday, freelancers deliver projects to clients—unaware their files were stolen Sunday night. By Tuesday, clients discover stolen proprietary strategies on competitor websites. Healthcare app source code appears on dark web markets. Legal privileged communications are exposed.

“When your required data breach notifications reveal you knew about the risk Sunday but chose not to warn members, the professional community collapses. Attorneys file complaints for privileged communication exposure. Healthcare developers face HIPAA violations. Business consultants lose clients over stolen strategies.

“CompeteSpace launches marketing: ‘Your Business Security Matters—Professional Workspace You Can Trust.’ Within two weeks, 60 members cancel memberships. Within a month, Innovation Hub faces closure. 120 professional relationships built over years destroyed because one decision prioritized weekend convenience over member data protection.”

Debrief Framework

Learning Consolidation & Reflection

Technical Debrief

What Just Happened (Technical Summary):

1. Attack Vector: Fake freelancer productivity software exploiting professional tool trust and independent contractor autonomy
2. Malmon Behavior: FakeBat downloader established browser hijacking, leveraged shared network for multi-tenant reconnaissance, staged information stealer
3. Multi-Tenant Challenge: Shared workspace architecture created collective vulnerability from individual compromises
4. Detection Method: Member reports and network monitoring revealed widespread compromise
5. Response Challenge: Balancing 120 individual business needs with collective network security under Monday deadline pressure

Type Effectiveness Review:

• Why Network Segmentation +3? Multi-tenant architecture requires collective protection—segmentation enables targeted remediation without complete disruption
• Why Member Education +3? Prevents social engineering reinfection by addressing freelancer productivity tool trust
• Why Individual Support -1? 120 independent businesses require scalable solutions, not individual case management

Technical Learning Question:

“How would you design shared workspace network architecture that balances professional business flexibility, cost efficiency, and multi-tenant security?”

Collaboration Debrief

Stakeholder Management Review:

• Jennifer (Workspace Manager): How did workspace reputation concerns affect security decisions? What changed her perspective on transparent handling?
• Carlos (Network Admin): What multi-tenant security challenges emerged? How did team support architecture improvement decisions?
• Diana (Community Manager): How did team balance professional community communication with security urgency?
• Robert (Member Services): What strategies addressed 120 different business needs within collective security response?

Communication Strategies:

• What worked for member notification about security incident without creating panic?
• How did team position temporary disruption as demonstrating workspace competence?
• What approaches balanced collective security with individualized business support?

Collaboration Learning Question:

“How does shared workspace multi-tenancy require different incident response approaches than corporate IT or single-business environments? What unique challenges does freelancer professional diversity create?”

Reflection & Real-World Connection

Scenario Themes:

1. Multi-Tenant Security: How shared infrastructure creates collective vulnerability requiring architectural solutions
2. Professional Autonomy Trust: How freelancer independent decision-making about productivity tools differs from corporate IT vetting
3. Business Diversity Challenge: How 120 different professional obligations require flexible response frameworks
4. Community Trust vs Convenience: How transparent handling strengthens professional relationships despite temporary disruption

Personal Reflection Questions:

• “Have you worked in shared workspaces or multi-tenant environments? How did security affect professional community?”
• “How would you balance individual business needs with collective security in your workplace?”
• “What surprised you about freelancer security challenges compared to corporate employee environments?”

Real-World Context:

• Coworking spaces increasingly common for remote work and independent contractors
• Multi-tenant network architecture creates unique security challenges requiring segmentation
• Professional autonomy means freelancers make security decisions without corporate IT guidance
• Shared workspace reputation depends on demonstrating competence, not claiming perfection

Facilitator Self-Reflection

Session Assessment:

• Pacing: Did multi-tenant complexity emerge naturally?
• NPC Development: Did characters demonstrate realistic workspace management vs security tension?
• Challenge Balance: Were DCs appropriate for 120-member diversity complexity?
• Learning Moments: What insights about shared workspace security emerged organically?

Adaptation Notes for Next Time:

• Easier: Reduce member count to 40, extend deadline timeline, provide clear segmentation template
• Harder: Add confirmed multi-industry data breach, include competing workspace active poaching, expand to workspace chain infection
• Industry variations: Maker space (shared equipment), business incubator (startup support), shared office building (multi-company facility)

Victory Celebration

If Team Succeeded:

Acknowledge specific excellent decisions:

• “Choosing network segmentation showed excellent understanding that multi-tenant environments require architectural solutions, not just endpoint fixes.”
• “Communicating transparently with members about temporary disruption demonstrated mature understanding that professional communities value competence over perfection.”
• “Balancing 120 individual business needs with collective security through tiered support showed sophisticated stakeholder management.”

What This Victory Means:

“You protected 120 independent businesses from client data theft. You demonstrated that shared workspaces can provide professional security even under deadline pressure. You showed freelancers that workspace community builds on transparent handling, not convenient secrecy. Innovation Hub will be known as the coworking space that chose member protection over weekend convenience—exactly the professional competence that independent contractors value when selecting their workspace.”

Resource Links

Continue Your Learning

Scenario Resources

• Malmon Profile: Complete FakeBat technical details and behavior patterns
• Scenario Card: Quick reference for this scenario variant
• Planning Guide: Detailed facilitation guidance and customization options

Facilitation Support

• Session Preparation: Template for preparing your next game session
• Facilitation Philosophy: Core principles for running Malware & Monsters
• Type Effectiveness Guide: Deep dive on Downloader type and strategic counters

Real-World Context

• Coworking Space Security: Best practices for multi-tenant environments
• Freelancer Technology Safety: Independent contractor security guidance
• Network Segmentation Strategies: Multi-tenant architecture design

Thank You for Playing!

Continue the Adventure

Share Your Experience

• Feedback: How did this scenario work for your team? Share with us
• Customization: Adapted this scenario for maker space, business incubator, or shared office building? We’d love to hear about it!

Explore More Scenarios

• FakeBat Small Business: Limited resource constraints and operational pressure
• FakeBat Gaming Cafe: Public customer systems and mass-scale remediation
• FakeBat Nonprofit: Volunteer technology and community trust management

Keep Learning

• Players Handbook: Deepen your understanding of Malware & Monsters
• IM Handbook: Advanced facilitation techniques and scenario design

May your workspace stay secure and your professional deadlines be met!