FakeBat - Level Up Gaming Cafe Crisis

Public Systems Under Tournament Pressure

Malware & Monsters

2025-12-04

Welcome to Malware & Monsters!

What You’re About to Experience

You’re part of Level Up Gaming Cafe’s incident response team, racing to restore 80 compromised gaming stations before Saturday’s major esports tournament.

Your Mission

Investigate and contain a malware outbreak across public customer systems while protecting customer data, maintaining payment security, and saving the biggest tournament of the year.

Quick Start for Incident Managers

New to facilitating Malware & Monsters? Start here:

IM Quick Start Guide - Everything you need to run this scenario in one concise document

The Hook

Thursday Afternoon, 3:45 PM - Tournament Week Chaos

Your gaming cafe is buzzing with pre-tournament excitement. Saturday’s esports tournament has 150 registered participants, sponsors arriving tomorrow, and streaming partners ready to broadcast to thousands of viewers.

Then your Systems Administrator bursts into the office:

Emma’s Emergency Report

“We have a serious problem. Customers are complaining about browser redirects and weird ads during gameplay. I just checked—gaming stations are full of fake software. ‘Graphics driver updates,’ ‘game performance boosters,’ ‘essential gaming utilities’—customers have been downloading this stuff all week.”

Initial Observations

• Browser behavior: Unexpected redirects during game launches
• Advertisements: Persistent popups interfering with gameplay
• Fake software: Game launchers, graphics drivers, “performance tools”
• Customer complaints: “My game is lagging,” “These ads won’t stop,” “What’s this software?”
• Scale: “I’ve checked 12 stations—all compromised. We have 80 total.”

Tournament starts in 48 hours. Your reputation, your revenue, and your customers’ data are all at stake.

Organization Context

Level Up Gaming Cafe: Public Entertainment Venue

Organization Profile

• Type: Gaming cafe and esports tournament venue
• Size: 25 staff members, 80 high-performance gaming stations
• Operations: Hourly gaming rental, tournament hosting, esports events, food/beverage service
• Revenue Model: Station rentals ($5-15/hour), tournaments ($20-50 entry fees), food/drinks, sponsorships
• Technology: 80 gaming PCs, centralized payment processing, tournament streaming equipment

Current Business Context

Saturday Esports Tournament:

• Scale: 150 participants, 8-hour event, $5,000 prize pool
• Visibility: Streaming partners broadcasting to thousands of viewers
• Sponsors: Local businesses, gaming peripheral companies, energy drink brands
• Revenue: $3,000 in entry fees + concessions + potential future bookings
• Reputation: Largest event Level Up has ever hosted

Public System Challenges

• Unknown customer actions: Anyone can download anything on gaming stations
• Shared equipment: 80 stations used by hundreds of customers weekly
• Gaming trust culture: Gamers routinely download “performance enhancers” and utilities
• Payment integration: Customer credit cards processed on same network as gaming stations

Initial Symptoms

What You’re Seeing - Thursday Afternoon

Browser & System Behavior

• Redirections: Browsers automatically redirect during game launches and web browsing
• Advertisements: Persistent popups appearing even during gameplay
• Performance Issues: Some gaming stations experiencing slowdowns
• Unexpected Software: Unfamiliar programs in startup menus and system trays

Customer-Installed Fake Software

Staff have identified suspicious programs customers downloaded:

1. “GameBoost Pro” - Claimed to optimize game performance
2. “GraphicsDriverUpdate.exe” - Appeared to be official graphics driver
3. “EsportsLauncher” - Fake tournament game launcher
4. “FPS_Optimizer” - Promised frame rate improvements
5. “ProGamerTools” - Collection of “essential” gaming utilities

Customer Reports

• “These ads are ruining my gaming session—can I get a refund?”
• “I thought GameBoost Pro would help my FPS, but now everything’s worse”
• “Is this GraphicsDriverUpdate thing legit? It installed automatically”
• “My browser keeps redirecting to weird sites when I try to launch games”

Payment System Concerns

Jessica (Customer Support Lead) reports: “Payment terminals are on the same network as gaming stations. If those systems are compromised, customer credit card data could be at risk.”

NPCs: Your Key Contacts

People Who Need Your Help

Tony Kim - Cafe Manager

What They Care About: Tournament success, customer trust, business reputation, revenue protection

Current State: Panicking about Saturday tournament—sponsors arriving tomorrow, can’t afford cancellation

Helpful For: Business constraints, tournament requirements, customer relationships, financial priorities

Potential Barrier: May pressure for quick fixes over thorough remediation to save tournament

Emma Foster - Systems Administrator

What They Care About: System integrity, complete malware removal, payment security

Current State: Investigating scope across 80 stations, realizing mass-scale remediation challenge

Helpful For: Technical investigation, system architecture, remediation strategies, gaming station management

Potential Barrier: Overwhelmed by scale—needs guidance on mass station restoration vs individual cleanup

Alex Rodriguez - Tournament Coordinator

What They Care About: Tournament operations, participant experience, streaming quality, sponsor satisfaction

Current State: Reporting increasing customer complaints, worried about tournament cancellation impacts

Helpful For: Tournament technical requirements, participant expectations, sponsor commitments, backup planning

Potential Barrier: May not understand security implications—focuses on “just make it work for Saturday”

Jessica Wong - Customer Support Lead

What They Care About: Customer safety, payment security, data protection, service quality

Current State: Handling customer complaints, discovering payment network concerns, worried about data breach

Helpful For: Customer impact assessment, payment system architecture, notification strategies, trust rebuilding

Potential Barrier: May push for customer notification before team is ready with complete information

NPC Hidden Agendas

Character Secrets & Development Arcs

Tony Kim - Cafe Manager

Hidden Agenda: Already spent tournament sponsorship money on equipment upgrades—cancellation would create financial crisis

Secret Fear: Losing business to competitor gaming cafes if tournament fails or customers lose trust

Character Arc:

• Initial: “We cannot cancel this tournament—find a way to make it work by Saturday”
• Mid-Game: Realizes complete cleanup matters more than rushed tournament
• Resolution: Understands customer security builds long-term reputation more than single event success

Roleplay Notes: Start fixated on tournament timeline, gradually recognize that customer data protection is fundamental to business survival

Emma Foster - Systems Administrator

Hidden Agenda: Recommended trusting customers with admin access to install gaming mods—now realizes this created vulnerability

Secret Doubt: Questioning whether gaming cafe security is even possible with public customer systems

Character Arc:

• Initial: Defensive about admin access decisions, overwhelmed by 80-station scope
• Mid-Game: Proposes mass reimaging strategy, recognizes need for customer education
• Resolution: Designs public system security model balancing customer freedom with protection

Roleplay Notes: Transform from defensive and overwhelmed to proactive problem-solver as team demonstrates focus on solution, not blame

Alex Rodriguez - Tournament Coordinator

Hidden Agenda: Prioritizing sponsor satisfaction over everything—they funded the prize pool and expect successful event

Secret Pressure: Sponsors hinted at future partnerships if tournament succeeds—massive opportunity for venue growth

Character Arc:

• Initial: “Sponsors are arriving tomorrow, we can’t disappoint them with cancellation”
• Mid-Game: Recognizes security incident could damage sponsors’ brands too
• Resolution: Understands transparent handling maintains sponsor trust better than rushed event with compromised systems

Roleplay Notes: Use him to explore business pressure vs security thoroughness—eventually realizes sponsors want association with trustworthy venue, not risky event

Jessica Wong - Customer Support Lead

Hidden Agenda: Knows customers provided credit card information on potentially compromised systems—legally and ethically concerned about notification requirements

Secret Worry: Personal liability for customer data protection failures—worried she should have escalated payment security concerns earlier

Character Arc:

• Initial: Pushing for immediate customer notification to protect them and herself
• Mid-Game: Learns to balance prompt communication with having accurate information to share
• Resolution: Develops customer communication strategy that maintains trust through transparency

Roleplay Notes: Use her moral compass to keep team focused on customer protection—transforms from anxiety-driven notification push to thoughtful communication strategy

The Complete Technical Picture

What’s Really Happening - FakeBat Gaming Cafe Attack

Attack Timeline

Monday-Wednesday (Tournament Week): Customers download fake gaming software from compromised gaming-focused websites and ads

Monday, Various Times: Initial FakeBat installations across multiple gaming stations via customer downloads

Tuesday-Wednesday: FakeBat establishes browser hijacking, begins secondary payload downloads

Wednesday Evening: Browser redirections and advertisements become noticeable to customers

Thursday, 12:00 PM: Customer complaints increase, Emma begins investigation

Thursday, 3:45 PM (Current): Emma confirms 80-station compromise scope

Technical Mechanisms

Initial Access:

• Attack Vector: Fake gaming software downloads (GameBoost Pro, GraphicsDriverUpdate.exe, etc.)
• Social Engineering: Exploited gaming performance optimization trust and “pro gamer” culture
• Delivery Method: Compromised gaming utility websites, malicious ads on gaming forums
• User Behavior: Customers routinely download “performance enhancers” without verification

Browser Hijacking:

• Browser homepage and search engine modifications
• Automatic redirections to advertising networks during browsing
• Injected advertisements into legitimate web pages
• New browser extensions installed without user knowledge

Secondary Payload Activity:

• Stage 1 (Completed): Browser hijacking and ad injection
• Stage 2 (In Progress): Cryptocurrency miner deployment on high-performance gaming systems
• Stage 3 (Pending): Information stealer targeting saved passwords, payment data, game account credentials

Data at Risk:

• Customer Payment Information: Credit cards processed on potentially compromised network
• Game Account Credentials: Steam, Epic Games, Riot accounts with saved passwords
• Customer Personal Data: Names, emails, payment history from gaming station logs
• Business Data: Payment processing logs, customer database, tournament registrations

Current Threat Status

Immediate Danger: 80 gaming stations actively compromised with browser hijacking and ad injection

Escalating Risk: Cryptocurrency miners deploying on gaming PCs, degrading performance before tournament

Critical Threat: Information stealer scheduled to activate Friday evening—would harvest customer payment data and game accounts overnight

Attack Objective: Browser hijacking for ad revenue, cryptocurrency mining for profit, credential theft for account sales

Investigation Progress Tracking

Session Worksheet - Mark Progress as Team Discovers

Round 1: Discovery Phase

Malmon Identification:

• Team recognizes fake gaming software pattern
• Team identifies browser hijacking mechanisms
• Team discovers suspicious programs across multiple stations
• Team analyzes customer download behavior patterns
• Team recognizes FakeBat downloader signatures

Initial Containment Actions:

• Sample station analysis initiated
• Fake software behavioral examination
• Network traffic monitoring from gaming stations
• Payment system network isolation assessment

Key Discovery: Gaming performance optimization trust created customer-driven infection across public systems

Round 2: Investigation Phase

Scope Assessment:

• Team confirms 80-station compromise
• Team discovers payment network proximity concerns
• Team identifies cryptocurrency miner deployment
• Team recognizes information stealer timeline (Friday evening activation)
• Team assesses Saturday tournament deadline constraints

Stakeholder Management:

• Communication with Tony about tournament timeline vs complete remediation
• Coordination with Emma on mass-station restoration strategies
• Assessment of tournament requirements with Alex
• Customer notification planning with Jessica

Critical Decision Point: Team must decide between mass reimaging vs individual cleanup, tournament cancellation vs risk acceptance, customer notification vs silent remediation

Round 3: Response Phase

Remediation Actions Chosen:

• Mass station reimaging vs individual malware removal
• Gaming software verification system implementation
• Network segmentation for payment systems
• Customer education program development
• Tournament proceeding decision vs cancellation

Response Effectiveness:

• Type-effective approaches used (Mass Reimaging +3, Software Verification +3, Customer Education +2)
• Moderately effective approaches (Station Isolation +1, Payment Protection +1)
• Ineffective approaches avoided (Individual Cleanup -1, Trusting Customer Actions -2)

Outcome Assessment:

• FakeBat completely removed from all 80 stations
• Customer and payment data protected
• Tournament proceeds securely or professionally postponed
• Public system security controls implemented

Debrief Discussion Points

Technical Learning:

• How does public customer system management differ from corporate IT?
• Why is mass reimaging more effective than individual cleanup for 80 stations?
• What gaming-specific malware delivery methods did attackers exploit?

Collaboration Insights:

• How did team balance tournament pressure with thorough remediation?
• What communication strategies worked for customer notification?
• How did team manage expectations across Tony (business), Emma (technical), Alex (operations), Jessica (customer care)?

Reflection Questions:

• “How do public customer systems create unique security challenges?”
• “What would you design differently for gaming cafe security?”
• “How can customer education reduce security risks without limiting gaming experience?”

Type Effectiveness Matrix

FakeBat (Downloader/Social) - Response Effectiveness

Highly Effective (+3 Bonus)

Mass Station Reimaging:

• Simultaneously restores all 80 gaming stations to clean state
• Eliminates all malware variants across public systems
• Implements consistent security baseline
• Why Effective: Downloader’s multi-station scale makes individual cleanup impractical—mass restoration addresses scope

Gaming Software Verification System:

• Whitelists legitimate gaming utilities and performance tools
• Blocks unauthorized software installations by customers
• Provides approved alternatives to fake performance enhancers
• Why Effective: Prevents social engineering reinfection by addressing customer behavior patterns

Moderately Effective (+2 Bonus)

Customer Education Program:

• Teaches gamers to recognize fake performance software
• Provides guidance on safe gaming utility sources
• Explains risks of unverified downloads
• Why Effective: Addresses social engineering vulnerability but requires ongoing reinforcement

Network Segmentation:

• Isolates payment processing from gaming station network
• Protects customer financial data from compromised systems
• Limits lateral movement potential
• Why Effective: Reduces damage scope but doesn’t remove existing infection

Somewhat Effective (+1 Bonus)

Station Isolation:

• Quarantines compromised gaming stations from network
• Prevents further spread to clean systems
• Protects payment terminals
• Why Effective: Contains threat but doesn’t scale well across 80 stations

Payment System Protection:

• Enhanced monitoring of payment terminal network
• Credential rotation for payment processing
• Transaction security verification
• Why Effective: Protects critical data but doesn’t address malware on gaming systems

Neutral Effectiveness (No Bonus)

Antimalware Deployment:

• Scanning tools detect some FakeBat variants
• Removes known malware signatures
• Provides ongoing monitoring
• Why Neutral: Useful supplemental tool but insufficient alone for downloader that constantly fetches new payloads

Ineffective (-1 or -2 Penalty)

Individual Station Cleanup (-1):

• Manually removing malware from each of 80 stations
• Would require 160+ hours of labor (2 hours per station minimum)
• Inconsistent results across stations
• Why Ineffective: Scope makes individual approach impractical—mass solution required

Trusting Customer Actions (-2):

• Assuming customers won’t download suspicious software again
• Continuing with open installation permissions
• No verification or education systems
• Why Ineffective: Social engineering exploits gaming culture—without addressing behavior, reinfection inevitable

Postponing Remediation (-2):

• Delaying cleanup until after tournament
• Allowing information stealer to activate Friday
• Risking customer payment data theft
• Why Ineffective: Information stealer activation would create confirmed data breach requiring customer notification and potential legal consequences

Facilitator Notes

If team is stuck:

• Emma can propose mass reimaging vs individual cleanup trade-offs
• Tony can share tournament timeline constraints and business impacts
• Alex can clarify minimum tournament technical requirements
• Jessica can highlight payment security concerns and customer protection obligations

If team rushes to conclusions:

• Emphasize 80-station scale challenge (“Individual cleanup = 160 hours of work”)
• Introduce information stealer Friday activation deadline
• Present customer reinfection risk without education/verification
• Highlight payment network proximity concerns

Common mistakes to address:

• Attempting individual station cleanup instead of mass restoration
• Ignoring customer education (reinfection will occur)
• Prioritizing tournament over customer data protection
• Silent remediation without customer notification about payment risks

Round 1: Discovery Phase

Investigation & Initial Findings

Starting Information

What Team Knows:

• Customer complaints about browser redirects and ads
• Multiple fake gaming software programs identified on sample stations
• 80 total gaming stations in cafe
• Saturday esports tournament in 48 hours
• Payment terminals on same network as gaming stations

Available Actions:

• Interview affected customers and staff
• Analyze fake software behavior and installation sources
• Check scope across all 80 gaming stations
• Review network architecture and payment system integration
• Research gaming software delivery vectors

Investigation Challenges

Fake Software Analysis (DC 10):

• Success: Identify FakeBat downloader signatures in fake gaming utilities
• Critical Success: Discover staged secondary payloads (crypto miner, information stealer), trace download sources to compromised gaming websites

Station Scope Assessment (DC 12):

• Success: Confirm 80-station compromise through automated scanning
• Critical Success: Map infection timeline showing customer-driven spread throughout tournament week, identify payment network proximity

Network Architecture Review (DC 15):

• Success: Understand payment terminal network configuration
• Critical Success: Discover lack of network segmentation exposing customer payment data to compromised gaming stations

Key Discovery Moments

The Gaming Culture Exploitation:

When team investigates how infections spread:

“Customers routinely download ‘performance enhancers,’ ‘FPS optimizers,’ and ‘graphics driver updates’ to improve gaming experience. The fake software looked legitimate—it even appeared to work at first by displaying performance metrics. Gamers trust these tools as part of competitive gaming culture.”

The Scale Realization:

When Emma reports full assessment:

“I’ve completed automated scanning—all 80 gaming stations are compromised. If we do individual cleanup at 2 hours per station, that’s 160 hours of work. We have 48 hours until tournament, and I’m one person. We need a mass solution.”

The Payment Network Risk:

When Jessica investigates payment security:

“Our payment terminals process customer credit cards on the same network as the gaming stations. There’s no segmentation. If attackers pivot from gaming PCs to payment systems, every customer who’s used a credit card here is at risk.”

The Malmon Identity:

When team pieces together attack pattern:

“This is FakeBat—a Downloader/Social malmon that exploits trust in gaming performance software to establish browser hijacking, then downloads secondary payloads. It’s specifically designed to target gaming environments and public computer systems.”

Round 1 Conclusion

What Team Should Discover:

1. Attack Vector: Fake gaming software exploiting performance optimization trust
2. Malmon Identity: FakeBat (Downloader/Social)
3. Infection Scope: All 80 gaming stations compromised
4. Current Activity: Browser hijacking, ad injection, preparing secondary payloads
5. Critical Risks: Payment network proximity, tournament timeline pressure

Stakeholder Reactions:

• Tony (Manager): Panicking about tournament cancellation—“We’ve already spent sponsorship money, we can’t afford to cancel!”
• Emma (Systems Admin): Proposing mass remediation strategies—“Individual cleanup won’t work at this scale”
• Alex (Tournament Coordinator): Worried about sponsor disappointment and participant communication
• Jessica (Customer Support): Advocating for customer notification about payment risk—“We have a responsibility to tell them”

Transition to Round 2:

“You’ve identified FakeBat across all 80 gaming stations and understand the scale challenge. But as Emma digs deeper into the malware behavior, she discovers something alarming: FakeBat is staging secondary payloads. A cryptocurrency miner is already deploying—and an information stealer is scheduled to activate Friday evening, targeting customer payment data and game account credentials. Your 48-hour timeline just became more urgent.”

Round 2: Investigation Phase

Scope Assessment & Critical Decisions

Expanded Investigation Findings

Secondary Payload Discovery:

• Cryptocurrency Miner (Deploying Now): Mining software targeting gaming PCs’ high-performance GPUs, degrading game performance
• Information Stealer (Activates Friday 8 PM): Scheduled to harvest saved passwords, payment autofill data, game account credentials
• Timeline: 28 hours until information stealer activation (Friday evening during peak gaming hours)

Customer Data Exposure Risk:

• Payment Data: Credit card information from customers who paid at gaming stations
• Game Accounts: Steam, Epic Games, Riot credentials with saved passwords
• Personal Information: Names, emails, addresses from tournament registrations
• At-Risk Customers: Approximately 300 unique customers who used gaming stations this week

Tournament Sponsor Pressure:

Alex reports: “Sponsors are arriving tomorrow to set up branded stations and streaming equipment. They’ve invested $5,000 in the prize pool and expect professional tournament operations. If we cancel, they’ll work with our competitors instead.”

Stakeholder Pressure Intensifies

Tony Kim (Cafe Manager):

“I already used the sponsorship money to upgrade our streaming equipment—we needed it to host professional tournaments. If we cancel, I can’t return funds I’ve spent, and we lose future sponsorship opportunities. Can we just clean enough stations for the tournament and fix the rest later?”

Present choice: Partial cleanup for tournament vs complete remediation

Emma Foster (Systems Administrator):

“I can do mass reimaging—we have a master image for gaming stations. It’ll take 24 hours to reimage all 80 stations, or I can do just the 20 tournament stations in 6 hours. But if we don’t fix the underlying issue—customers downloading fake software—we’ll be reinfected within days.”

Present choice: Complete mass remediation vs tournament-only cleanup vs hybrid approach with customer controls

Alex Rodriguez (Tournament Coordinator):

“I need to communicate with 150 registered participants. Do I tell them the tournament is postponed? That we had a security incident? Or do I just confirm everything’s on schedule? Participants are traveling from across the state—some are already in hotels.”

Present choice: Tournament cancellation vs proceeding vs modified timeline

Jessica Wong (Customer Support Lead):

“If that information stealer activates Friday evening, it’ll harvest customer payment data. We have an ethical and possibly legal obligation to notify customers before their data is stolen. But if we tell them now, we’ll create panic and damage our reputation. What do we prioritize—their safety or our business?”

Present choice: Immediate customer notification vs delayed notification vs targeted notification after remediation

The Scale Challenge

Emma’s Technical Assessment:

“Here are our options:

Option A: Mass Reimaging (24 hours)

• Restores all 80 stations to clean baseline simultaneously
• Implements software verification system preventing reinfection
• Misses Friday setup but possibly allows Saturday afternoon modified tournament

Option B: Tournament-Only Cleanup (6 hours)

• Manual removal on 20 tournament stations by Friday morning
• Remaining 60 stations stay compromised
• High reinfection risk, information stealer still activates on other stations

Option C: Hybrid Approach (30 hours)

• Reimage tournament stations immediately (6 hours)
• Implement network segmentation protecting payment systems (4 hours)
• Mass reimage remaining stations after tournament (20 hours)
• Deploy customer education and software verification before reopening

“Which approach balances security, customer protection, and business needs?”

Investigation Challenges

Secondary Payload Analysis (DC 15):

• Success: Identify cryptocurrency miner and information stealer staging
• Critical Success: Discover exact activation timeline, determine data exposure scope, map command-and-control infrastructure

Mass Remediation Planning (DC 12):

• Success: Design efficient mass reimaging strategy
• Critical Success: Develop post-remediation controls preventing customer-driven reinfection

Stakeholder Communication (DC 18):

• Success: Gain agreement on remediation approach balancing all concerns
• Critical Success: Position security incident as opportunity to demonstrate customer protection commitment, strengthening long-term reputation

Round 2 Conclusion

What Team Must Decide:

1. Remediation Strategy: Mass reimaging vs tournament-only vs hybrid approach
2. Tournament Decision: Cancel vs proceed vs postpone vs modify
3. Customer Notification: Immediate vs delayed vs targeted vs silent
4. Long-term Controls: Software verification, customer education, network segmentation priority

The Central Tension:

Public customer systems created vulnerability through gaming culture trust—now that same business model pressures team to prioritize tournament over customer data protection.

Transition to Round 3:

“You have complete technical information about FakeBat’s behavior and timeline. The question now is: What kind of gaming cafe do you want to be? One that prioritizes single events over customer protection? Or one that demonstrates trustworthy security practices even when it costs business in the short term?”

Round 3: Response Phase

Critical Response Decision

The Situation

Technical Status:

• FakeBat downloader on all 80 gaming stations
• Cryptocurrency miner deploying (degrading gaming performance)
• Information stealer activating Friday 8 PM (28 hours)
• 300 customers potentially affected
• Payment network unsegmented from gaming stations

Stakeholder Positions:

• Tony (Manager): Wants tournament to proceed—already spent sponsorship money
• Emma (Systems Admin): Recommends mass reimaging with software verification
• Alex (Tournament Coordinator): Needs decision for participant communication—traveling competitors arriving
• Jessica (Customer Support): Advocates customer notification before data theft

Timeline Pressure:

• Saturday tournament: 48 hours
• Information stealer activation: 28 hours
• Sponsors arrival: 20 hours
• Current time: Thursday 3:45 PM

Response Option Paths

Path A: Customer Protection Priority (Complete Remediation)

Actions:

• Immediate customer notification about payment data risk
• Mass reimaging of all 80 gaming stations (24 hours)
• Network segmentation implementation (payment system isolation)
• Gaming software verification system deployment
• Customer education program before reopening
• Tournament postponed to following Saturday with transparent sponsor communication

Consequences:

• Tournament delayed but rescheduled with sponsor support for transparency
• Customer trust maintained through proactive notification
• Complete malware removal prevents data theft
• Reinfection prevented through verification controls
• Outcome: Short-term tournament delay, long-term reputation as customer-protective venue, sponsors appreciate security commitment

Type Effectiveness: Mass Reimaging +3, Software Verification +3, Customer Education +2, Network Segmentation +2

DC Requirements: Technical remediation (DC 15), Sponsor negotiation (DC 18), Customer communication (DC 15)

Path B: Hybrid Approach (Balanced Risk Management)

Actions:

• Emergency tournament station cleanup (20 stations reimaged, 6 hours)
• Immediate network segmentation (isolate payment systems)
• Information stealer prevention deployment across all stations
• Tournament proceeds Saturday on secured stations
• Mass remediation of remaining 60 stations Sunday-Monday
• Targeted customer notification (those who used non-tournament stations)
• Software verification implementation before full reopening

Consequences:

• Tournament proceeds with reduced station count (20 instead of 80)
• Payment data protected through network isolation
• Information stealer prevented from activating
• Full cleanup completed post-tournament
• Outcome: Tournament proceeds with modifications, customer data protected, complete remediation within week

Type Effectiveness: Mass Reimaging +3, Network Segmentation +2, Software Verification +3, Station Isolation +1

DC Requirements: Technical remediation (DC 15), Tournament logistics modification (DC 12), Customer communication (DC 15)

Path C: Tournament Priority (Minimal Remediation)

Actions:

• Manual malware removal on tournament stations only
• Tournament proceeds as scheduled
• No customer notification to avoid panic
• Delayed mass remediation until after tournament
• Continued customer use of compromised systems Friday evening

Consequences:

• Information stealer activates Friday 8 PM across non-tournament stations
• Customer payment data and game accounts stolen
• Data breach notification required after discovery
• Customer lawsuits for negligent data protection
• Sponsor relationship damaged when breach becomes public
• Competitor gaming cafes exploit security failure in marketing
• Outcome: Tournament proceeds but catastrophic data breach, customer trust destroyed, potential business closure

Type Effectiveness: Individual Cleanup -1, Postponing Remediation -2, Trusting Customer Actions -2 (ineffective approaches compound failure)

DC Requirements: All DCs increased +5 due to data breach aftermath, customer lawsuits, regulatory investigation

Response Execution Challenges

Mass Remediation (DC 15 for tournament stations, DC 18 for all 80):

• Success: All stations restored to clean baseline with consistent configuration
• Failure: Incomplete cleanup leaves information stealer active, customer data stolen

Sponsor Communication (DC 18 for postponement, DC 12 for modification):

• Success: Sponsors appreciate transparency and security commitment, agree to reschedule or modification
• Failure: Sponsors withdraw support, tournament canceled without future opportunities

Customer Notification (DC 15):

• Success: Clear communication maintains customer trust despite incident
• Failure: Poor communication creates panic, reputation damage exceeds actual security impact

Software Verification Deployment (DC 12):

• Success: Prevents customer reinfection while maintaining gaming experience
• Failure: Verification too restrictive frustrates gamers, or too permissive allows reinfection

Outcome Determination

Victory Conditions Met:

1. FakeBat completely removed from all gaming stations
2. Customer payment data and game accounts protected
3. Tournament proceeds (possibly modified) or professionally postponed
4. Software verification and customer education prevent reinfection

Partial Success:

• Malware removed but customers not notified (ethical failure despite technical success)
• Tournament proceeds but reputation damaged by rushed response
• Complete cleanup achieved but business financially harmed by cancellation

Failure:

• Information stealer activates, customer data stolen
• Data breach notification required, lawsuits filed
• Tournament sponsors withdraw, event canceled
• Competitor cafes exploit security failure
• Business closure risk from combined reputation and financial damage

Round 3 Conclusion

Success Narrative Example (Path A or B):

“By Friday morning, all tournament gaming stations are restored to clean baselines with software verification systems preventing reinfection. You’ve notified affected customers about the security incident and your proactive protection measures. Some customers appreciate the transparency; others are concerned but respect your honesty.

“Saturday’s tournament proceeds with 20 secured stations instead of the planned 80. Sponsors are impressed by your transparent handling—they’d rather be associated with a trustworthy venue that handles incidents professionally than one that takes security shortcuts. Several sponsors commit to future partnerships specifically because you demonstrated customer protection priority.

“By Monday, all 80 stations are clean with software verification active. You’ve implemented customer education about safe gaming software sources. Level Up Gaming Cafe becomes known as the secure gaming venue—the place that chose customer protection over a single tournament’s revenue.”

Failure Narrative Example (Path C):

“The tournament proceeds Saturday with manually cleaned stations. Friday evening at 8 PM, the information stealer activates across 60 non-tournament gaming stations, harvesting customer payment data and game account credentials from 300 customers.

“By Sunday, customers report fraudulent charges and compromised game accounts. By Monday, your data breach notification reveals the full scope. Customer lawsuits are filed for negligent data protection. Sponsors distance themselves from the venue, citing security concerns. Competitor cafes advertise your breach in their marketing: ‘Play Secure—We Protect Your Data.’

“Level Up Gaming Cafe faces financial crisis from legal costs, lost business, and reputation damage. The single tournament you saved becomes the event that destroyed your business—because you chose short-term revenue over customer protection.”

Debrief Framework

Learning Consolidation & Reflection

Technical Debrief

What Just Happened (Technical Summary):

1. Attack Vector: Fake gaming software exploiting performance optimization trust culture
2. Malmon Behavior: FakeBat downloader established browser hijacking, staged crypto miner and information stealer
3. Scale Challenge: 80-station compromise required mass remediation, not individual cleanup
4. Detection Method: Customer complaints led to behavioral analysis revealing downloader signatures
5. Response Challenge: Balancing mass restoration speed with tournament timeline and customer protection

Type Effectiveness Review:

• Why Mass Reimaging +3? 80-station scale makes individual cleanup impractical—simultaneous restoration only viable approach
• Why Software Verification +3? Prevents social engineering reinfection by controlling customer downloads
• Why Individual Cleanup -1? 160+ hours of labor for 80 stations—scope makes individual approach ineffective

Technical Learning Question:

“How would you design gaming cafe security that allows customer freedom while preventing malware reinfection through gaming culture trust?”

Collaboration Debrief

Stakeholder Management Review:

• Tony (Manager): How did tournament pressure affect security decisions? What changed his perspective on customer protection priority?
• Emma (Systems Admin): What technical strategies addressed mass-scale challenge? How did team support overwhelmed admin?
• Alex (Tournament Coordinator): How did team balance sponsor commitments with security needs? What communication strategies worked?
• Jessica (Customer Support): How did team approach customer notification? What factors influenced timing and transparency?

Communication Strategies:

• What worked for gaining stakeholder agreement despite competing priorities?
• How did team position security incident to sponsors as trust-building rather than failure?
• What customer communication approaches maintained trust despite data risk disclosure?

Collaboration Learning Question:

“How does public customer system security require different stakeholder management than corporate IT? What unique challenges does gaming culture create?”

Reflection & Real-World Connection

Scenario Themes:

1. Public System Security: How customer-driven actions create unique vulnerabilities and scale challenges
2. Gaming Culture Exploitation: How performance optimization trust enables social engineering at scale
3. Mass Remediation Strategies: When individual approaches fail and systemic solutions become necessary

Personal Reflection Questions:

• “Have you seen business pressure override security thoroughness in your organizations? How did you navigate that tension?”
• “How would you balance customer freedom with protection in public computer environments?”
• “What surprised you about the scale challenge—why mass remediation instead of individual cleanup?”

Real-World Context:

• Gaming cafes, internet cafes, libraries, and schools all face public system security challenges
• Customer behavior in these environments is unpredictable—trust-based controls insufficient
• Mass remediation strategies (reimaging, verification systems, network segmentation) scale better than individual approaches
• Gaming culture’s performance optimization focus creates exploitable social engineering opportunity

Facilitator Self-Reflection

Session Assessment:

• Pacing: Did scale challenge emerge naturally or feel forced?
• NPC Development: Did characters demonstrate realistic business vs security tension?
• Challenge Balance: Were DCs appropriate for mass remediation complexity?
• Learning Moments: What insights about public system security emerged organically?

Adaptation Notes for Next Time:

• Easier: Reduce station count to 40, extend tournament timeline, provide complete master image solution
• Harder: Add confirmed payment breach requiring PCI-DSS notification, include tournament streaming compromise visible to viewers
• Industry variations: Library (patron computers), school (student labs), internet cafe (browsing), coworking (shared resources)

Victory Celebration

If Team Succeeded:

Acknowledge specific excellent decisions:

• “Choosing mass reimaging over individual cleanup showed excellent understanding of scale challenges—that saved the response.”
• “Communicating transparently with sponsors about security priorities actually strengthened those relationships.”
• “Recognizing customer education as reinfection prevention—not just technical controls—demonstrated mature security thinking.”

What This Victory Means:

“You protected 300 customers from financial fraud and game account theft. You demonstrated that customer security and business success aren’t competing priorities—they’re integrated. Level Up Gaming Cafe will be known as the secure venue, the place that chose customer protection over a single tournament’s revenue. That reputation will drive long-term business growth that far exceeds one event’s sponsorship.”

Resource Links

Continue Your Learning

Scenario Resources

• Malmon Profile: Complete FakeBat technical details and behavior patterns
• Scenario Card: Quick reference for this scenario variant
• Planning Guide: Detailed facilitation guidance and customization options

Facilitation Support

• Session Preparation: Template for preparing your next game session
• Facilitation Philosophy: Core principles for running Malware & Monsters
• Type Effectiveness Guide: Deep dive on Downloader type and strategic counters

Real-World Context

• Public Computer Security: Best practices for shared system environments
• Gaming Malware Trends: How attackers target gaming culture
• Mass Remediation Strategies: Scaling incident response

Thank You for Playing!

Continue the Adventure

Share Your Experience

• Feedback: How did this scenario work for your team? Share with us
• Customization: Adapted this scenario for library, school lab, or coworking space? We’d love to hear about it!

Explore More Scenarios

• FakeBat Small Business: Limited resource constraints and operational pressure
• FakeBat Nonprofit: Mission urgency and donor trust management
• FakeBat Coworking: Shared workspace security across multiple organizations

Keep Learning

• Players Handbook: Deepen your understanding of Malware & Monsters
• IM Handbook: Advanced facilitation techniques and scenario design

May your systems stay clean and your tournaments run smoothly!