Client presentation pressure creates fake update vulnerability
2026-02-03
Scenario Details:
IM Quick Start:
Press ‘P’ for player-safe mode before showing slides!
Other essential keys:
The Situation:
Creative Solutions Studio is managing client campaigns when employees notice their browsers redirecting to unexpected websites and displaying persistent advertisements. Staff report installing “critical software updates” for design tools, but these were sophisticated software masquerading attacks delivering multi-stage trojan payloads. Major client presentation scheduled for Friday.
Your Role:
You are the incident response team for Creative Solutions Studio. The agency’s business owner has called you in because the compromised design workstations are threatening both client data security and the ability to deliver a critical presentation that could make or break the company’s reputation.
Victory Condition:
Successfully identify and remove FakeBat downloader, restore design workstation integrity, protect client data, maintain Friday presentation timeline, and implement user education to prevent recurrence.
Quick Reference
Type: Full-service digital marketing agency providing creative services, brand strategy, web development, social media management, and digital advertising campaigns for small-to-medium business clients across retail, hospitality, professional services, and nonprofit sectors.
Size: 45 employees including 18 creative professionals (graphic designers, web designers, copywriters, video producers), 12 account managers handling client relationships and project coordination, 8 digital marketing specialists (SEO, paid advertising, social media strategy), 5 operations staff (HR, finance, office management), 1 part-time IT coordinator (Jake Chen, 20 hours/week), 1 owner/creative director managing overall agency strategy and major client relationships.
Operations: Project-based revenue model serving 85 active clients generating $3.2 million annual revenue, retainer agreements ($2,500-15,000 monthly) providing recurring revenue base, project work (website launches, rebrands, campaign development) creating revenue spikes, agency operates on 18-22% profit margins typical of creative services businesses, client retention drives business stability (losing major client eliminates months of profit), new business development through referrals and competitive pitches.
Critical Services: Client campaign development and creative production, website design and development requiring Adobe Creative Suite and collaborative tools, social media content creation and community management, digital advertising campaign management across Google Ads, Meta platforms, LinkedIn, brand strategy and marketing consulting for client business objectives.
Technology Infrastructure: Adobe Creative Suite (Photoshop, Illustrator, InDesign, Premiere Pro, After Effects) on 18 designer workstations, project management platforms (Monday.com) coordinating client deliverables, cloud file storage (Google Workspace) for client assets and collaboration, browser-based research and social media management tools, shared network with minimal segmentation (designers access client files, research resources, cloud platforms simultaneously), part-time IT coordinator handles reactive support (password resets, software installations, printer troubleshooting) but lacks cybersecurity expertise or proactive security monitoring capabilities.
Current Crisis Period: Thursday afternoon before Friday 10am client presentation—creative team finishing final presentation slides and campaign mockups for major Fortune 500 prospect pitch, account team rehearsing presentation delivery, agency owner preparing for career-defining business development opportunity, IT coordinator working remote half-day (available by phone only).
Major Client Presentation & Agency Survival: Friday 10am pitch to Fortune 500 retail client represents $400K annual contract (12.5% of agency revenue)—six-month competitive pitch process, final presentation showcasing brand refresh strategy, digital campaign creative, website redesign concepts, social media content calendar, all developed on spec (unpaid) by creative team investing 240 hours, presentation materials require designer workstation access for final refinements and export to presentation formats, FakeBat infection compromising lead designer’s system (Maria Garcia) who created core presentation assets and holds institutional knowledge of creative rationale, losing this opportunity means eliminating planned expansion (hire 3 additional staff), agency owner invested personal savings covering spec work costs, competitive pitch means no second chance if presentation fails, small business survival depends on winning transformational contracts that elevate agency tier and enable stable growth.
Creative Production Infrastructure & Workflow Continuity: 18 designer workstations running Adobe Creative Suite representing $32,400 annual licensing investment plus $54,000 in hardware (iMacs, displays, peripherals)—FakeBat browser hijacking disrupts designers’ web-based research (reference images, competitor analysis, trend research), credential theft threatens Adobe Creative Cloud accounts, Google Workspace access, client portal logins, malware’s multi-stage loader capabilities mean secondary payloads could deploy ransomware targeting client creative assets and intellectual property, creative workflow depends on seamless browser access (stock photo services, font libraries, color palette tools, design inspiration platforms), containment requires taking designers offline during active project work affecting 12 concurrent client campaigns with deliverable deadlines next week, small agency lacks redundant systems or backup workstations enabling graceful degradation.
Agency Reputation & Small Business Viability: Creative services industry where portfolio quality and reliability define competitive advantage—existing 85 clients generate revenue through ongoing trust in agency capabilities, referral-based business development means reputation damage spreads through professional networks, clients are small businesses themselves (restaurants, retail shops, professional practices) who cannot afford agency failures affecting their marketing, breach of client data (brand assets, unreleased campaigns, business strategies) destroys confidentiality foundation of agency-client relationship, small business market means competitors ready to receive dissatisfied clients (“more reliable agency”), agency operates on thin margins where one lost major client or reputation incident threatens business viability, owner’s personal financial investment and 45 employees’ livelihoods depend on maintaining professional credibility.
Thursday 3:30 PM - Infection Discovery 18 Hours Before Career-Defining Presentation:
Creative Director Sarah Mitchell received panicked Slack message from lead designer Maria Garcia: “My browser keeps redirecting to weird sites, and I just got a notification that some ‘Creative Cloud Helper’ software installed. I didn’t authorize that.” Maria had downloaded what appeared to be Adobe font management plugin from Google search result Wednesday afternoon while preparing presentation typography—convincing fake website mimicked Adobe’s design language, software installed smoothly, seemed legitimate until browser behavior degraded Thursday afternoon.
Part-time IT coordinator Jake Chen (working remotely) remotely accessed Maria’s workstation, discovered FakeBat multi-stage loader had installed browser hijacking components, modified Chrome extensions, and was actively communicating with external command-and-control infrastructure. Jake’s investigation revealed two additional designer workstations showing similar indicators—fake software installations, browser modifications, credential access attempts.
But Friday 10am presentation is agency’s most critical business opportunity in five years. Maria’s workstation contains master presentation file with 60 slides of custom creative work, brand strategy frameworks, campaign mockups that cannot be recreated in 18 hours. Account manager David Wilson texted: “Rehearsal in 2 hours, need final slides. Client confirmed attendance—CMO, VP Marketing, Brand Director. This is our shot.”
Agency owner Sarah knows: isolate infected workstations (best security practice, prevent spread) but lose access to presentation materials and designer expertise finishing Friday deliverable, OR maintain creative team access through Friday presentation (business survival) but risk credential theft, data exfiltration, and potential ransomware deployment across client assets.
Critical Timeline: - Current moment (Thursday 3:30pm): FakeBat discovered on 3 designer workstations, Friday 10am presentation 18.5 hours away - Stakes: $400K client contract, agency expansion plans, 45 employees’ job security, small business survival - Dependencies: Lead designer’s workstation holds presentation assets, part-time IT coordinator has limited incident response expertise, no redundant systems or backup creative capacity
Creative workflow autonomy encouraged designer software experimentation: Agency culture celebrates “creative problem-solving” and “finding the best tools”—when designers request specialized fonts, productivity plugins, or workflow enhancement software, management approves to “empower creative excellence” and “avoid limiting artistic capabilities.” Creative Director decision: trust professional designers to find tools improving work quality over restricting software installations creating “corporate bureaucracy feel.” Decision made business sense—creative agencies compete on innovation and quality, designers need autonomy exploring new techniques and resources, micromanaging software choices signals distrust damaging creative culture, small agency differentiates from large corporate shops through flexibility and designer empowerment. No software approval process or installation restrictions meant Maria downloading “Adobe font manager” seemed like normal professional behavior seeking to enhance typography work. FakeBat exploited this exact creative autonomy culture.
Part-time IT model reflects small business budget constraints: Agency operates on 18-22% profit margins with $3.2M revenue supporting 45 salaries, benefits, software licenses, rent, and operating costs—full-time IT security specialist ($75K-95K annually) represents 2.3-3.0% of revenue (eliminates profit margin), management determined 20-hour/week IT coordinator ($32K annually) provides “adequate support for basic needs” while maintaining business viability. Budget reality: small agencies prioritize billable creative staff over non-revenue infrastructure positions, IT spending competes with designer salaries directly affecting creative output quality, managed security services ($2,500-4,000 monthly) cost more than IT coordinator’s entire compensation. Jake Chen hired as “tech-savvy generalist” handling help desk support, not cybersecurity professional conducting threat hunting. Small business constraint: cannot afford enterprise security while competing for clients on creative deliverable quality and pricing.
Client deadline pressures prevent security maintenance windows: Creative services operate under constant deadline pressure—12 concurrent client campaigns with deliverables due weekly, Friday presentation represents months of spec work, designers cannot “pause creative work for IT maintenance” without missing client commitments. When Jake proposed scheduling security updates and system patches, account managers rejected: “We have client deliverables every single day, there’s never a good time to be offline.” Agency business model (multiple simultaneous projects with staggered deadlines) creates perpetual “critical work in progress” preventing planned maintenance. Creative staff work evenings and weekends finishing campaigns—security interruptions eliminate personal time used for deadline completion. Management priority: client deliverable quality and timeliness (drives revenue and retention) over IT maintenance (invisible until crisis occurs).
Spec work investment model creates impossible presentation stakes: Agency spent 240 unpaid hours developing presentation creative, strategy frameworks, and campaign concepts for competitive pitch—owner invested $18,000 in creative labor costs (fully burdened) plus $3,200 in stock photography, fonts, and production resources gambling on winning $400K annual contract. Small agency business development reality: cannot afford to lose major pitches after investing significant resources, transformational clients enable tier elevation and stable growth, missing Friday presentation means $21,200 sunk cost with zero return, no second chance in competitive pitch environment. Stakes aren’t just “one lost client”—they’re months of investment, planned expansion, staff hiring decisions, owner’s personal financial risk. This context explains why “just postpone the presentation” isn’t viable option.
Small creative agencies operate under permanent financial pressure—thin profit margins mean every dollar spent on operations reduces owner compensation or business stability, client retention and new business development are existential requirements not optional activities, reputation and portfolio quality determine competitive survival in crowded market.
Creative workflow culture values autonomy and tool flexibility—designers expected to “find solutions” and “explore techniques,” software restrictions feel like corporate bureaucracy conflicting with creative agency identity, professional trust means letting designers choose tools enhancing their work. This culture creates productivity and innovation while introducing security risk when designers download “productivity enhancing” fake software.
Part-time IT reflects budget reality not negligence—$32K/year coordinator versus $75K+ security specialist, small business cannot afford enterprise IT while maintaining competitive creative staff compensation, IT spending competes directly with billable resources generating revenue. Jake Chen provides adequate help desk support (password resets, software installs, printer fixes) but lacks cybersecurity training for incident response.
Deadline culture creates perpetual “critical work in progress”—multiple simultaneous client campaigns with staggered deliverables mean “never a good time” for security maintenance, creative staff working evenings/weekends to meet commitments cannot lose system access without missing deadlines, agency reputation depends on reliable delivery.
Spec work business development model creates high-stakes presentations—agencies invest tens of thousands in unpaid creative work gambling on transformational contracts, competitive pitches mean no second chances, winning major clients enables tier elevation and stability, losing after significant investment threatens business viability. Friday presentation isn’t “just another client meeting”—it’s culmination of six-month pursuit and $21K investment with agency expansion plans dependent on success.
FakeBat exploited this exact environment—creative autonomy culture encouraging designer software exploration, convincing fake Adobe plugin targeting creative professionals’ legitimate workflow needs, part-time IT lacking expertise for rapid incident response, deadline pressure preventing system isolation, spec work stakes making presentation cancellation unthinkable. Malware designed to exploit small creative business operational realities.
You’re not just responding to FakeBat infection—you’re managing crisis in small creative business where limited IT resources, creative workflow autonomy, client deadline pressures, and spec work investment stakes create impossible choices during incident response, and one lost major client can threaten agency survival and 45 employees’ livelihoods. Your incident response decisions directly affect whether agency completes career-defining presentation, whether small business manages security incident without enterprise resources, whether creative professionals maintain workflow autonomy while protecting against social engineering threats.
There’s no perfect solution: isolate infected workstations immediately (loses Friday presentation access threatening $400K contract and agency survival), maintain creative access through presentation (risks credential theft, data exfiltration, ransomware deployment across client assets), attempt partial containment with limited IT expertise (uncertain effectiveness during critical deadline). This scenario demonstrates how small business operational constraints create unique cybersecurity challenges—part-time IT resources limit incident response capabilities, creative culture autonomy conflicts with security restrictions, thin profit margins prevent enterprise security investment, client deadline dependencies make business continuity and security response competing imperatives where protecting infrastructure threatens revenue survival.
Emphasize small business IT constraints are structural, not negligence: $32K part-time IT coordinator versus $75K+ security specialist reflects budget reality—agencies cannot afford enterprise IT while maintaining competitive creative staff. Don’t let players dismiss as “bad prioritization.” Small business math: IT spending competes with billable resources generating revenue.
Creative workflow autonomy is cultural value, not security failure: Designers downloading productivity tools reflects agency’s creative empowerment culture and competitive differentiation. Software restrictions feel like “corporate bureaucracy” conflicting with small creative shop identity. Help players understand tension between creative autonomy (business value) and security controls (risk management).
Friday presentation stakes are existential, not arbitrary: $400K annual contract represents 12.5% of agency revenue, $21K spec work investment, planned expansion and hiring, owner’s personal financial risk—losing this opportunity threatens business viability. This isn’t “missing one client meeting,” it’s culmination of six-month pursuit with agency survival dependent on success.
Part-time IT coordinator is learning, not incompetent: Jake Chen provides adequate help desk support (his job description) but lacks cybersecurity training for incident response (not his expertise). Remote work Thursday afternoon adds complexity. Help players recognize resource constraints versus skill deficits.
Spec work business model creates high-risk development: Creative agencies invest tens of thousands in unpaid work gambling on transformational contracts—this model drives “cannot lose this pitch” pressure. Competitive pitch environment means no second chances, postponement equals loss.
FakeBat social engineering sophistication targets creative professionals: Fake Adobe plugin with convincing website, legitimate-seeming installation, targeting creative workflow needs—this isn’t “user negligence,” it’s sophisticated masquerading defeating reasonable verification attempts by professional designer.
Client asset protection adds stakeholder dimension: Agency holds 85 clients’ brand assets, unreleased campaigns, business strategies—breach affects not just agency but all client businesses depending on confidentiality. Small business clients (restaurants, shops, practices) cannot afford marketing data exposure.
Essential NPCs (appear in all rounds):
Lisa Martinez - Business Owner Managing agency operations while worried about reputation damage and client confidence
Jake Thompson - IT Coordinator Part-time IT support investigating unauthorized software installations and learning about sophisticated malware
Sarah Chen - Creative Director Reporting design software “updates” and persistent browser ads, frustrated by workflow disruption before major presentation
Mark Rodriguez - Client Relations Manager Assessing impact on client data security and managing client communication about potential exposure
Lisa Martinez (Business Owner):
Jake Thompson (IT Coordinator):
Sarah Chen (Creative Director):
Mark Rodriguez (Client Relations Manager):
Reported Issues:
Help Desk Reports:
“Sarah and three other designers are complaining about constant pop-ups and their browsers taking them to weird shopping sites. They all said they installed updates this morning to fix it, but it’s getting worse.”
Observable Evidence:
Timeline:
Actual Infection Vector:
Malicious advertisements (malvertising) on design resource websites led to fake software update pages. These pages mimicked legitimate Adobe and design tool update interfaces, delivering FakeBat downloader trojan when designers clicked “Install Critical Security Update.”
Full Attack Timeline:
Hidden Evidence:
Evidence players can discover through investigation:
What Players Don’t Know Yet:
Round 1 Discoveries:
Round 2 Discoveries:
Round 3 Discoveries:
Round 1: Discovery Phase
IF players investigate browser behavior first: → They discover malicious extensions and fake update downloads leading to FakeBat identification
IF players investigate network traffic first: → They discover C2 communications and ad network connections leading to Downloader classification
IF players miss both: → Jake reveals: “I found these weird browser extensions called ‘Adobe_Security_Update’ - is that normal?”
Round 2: Deep Dive
Branching point based on Round 1 approach:
Round 3: Response Decision
Critical choices with consequences:
Stuck? Use These:
Classification: Downloader / Social
Behavioral Patterns:
Observable Indicators:
Threat Level: ⭐⭐ (Intermediate)
Potential Approaches:
Players have suggested:
Resources Available:
Known Effectiveness:
Based on malmon type (Downloader/Social):
Time Pressure:
48 hours until Friday client presentation - cannot be rescheduled without major business impact
Type Matchups for Downloader/Social:
Super Effective (+3):
Effective (+2):
Moderately Effective (+1):
Normal Effectiveness (0):
Ineffective (-1):
Very Ineffective (-2):
Success Probabilities:
Round 1 Objectives:
Key NPCs This Round:
Critical Inflection Point:
Sarah mentions: “Three other designers installed the same update I did - we were all trying to fix the browser problems.” → Players realize reinfection cycle is active
IM Scratchpad:
Use this for:
Round 2 Objectives:
NPC Escalation:
Critical Decision:
Players must choose cleanup approach balancing: - Thoroughness (complete remediation) vs Speed (meet Friday deadline) - Security (comprehensive cleanup) vs Usability (designers need tools) - Transparency (tell clients) vs Discretion (silent cleanup)
Branching Paths:
Common Player Mistakes:
Round 3 Objectives:
Response Implementation:
Based on Round 2 choice, players now execute:
Success Calculation:
Type effectiveness + Business continuity + User education quality = Outcome
Possible Outcomes:
Complete Success: Browser forensics + Software verification + User education implemented → Presentation happens Friday, malware removed, staff trained, long-term protection (requires Path C with strong execution)
Partial Success: Technical cleanup good but user education rushed → Presentation succeeds, malware removed from critical systems, but reinfection risk remains (common outcome)
Complicated Success: Business wins but security compromised → Presentation happens but incomplete remediation, client notification required later (Path B outcome)
Failure Forward: Cleanup delays presentation but builds security foundation → Business takes short-term hit, long-term security gains (Path A outcome - reframe as investment)
Unexpected Events:
Technical Concepts:
Real-World Parallels:
FakeBat represents real malware families like SocGholish, FakeUpdates, and various browser hijackers that exploit user trust in software updates. The malvertising → fake update → trojan platform chain is common in real attacks targeting businesses.
Collaboration Skills:
MITRE ATT&CK Techniques:
For the Group:
Decision-Making: “What was the hardest decision you made? How did business pressure influence your security choices?”
Team Dynamics: “How did different perspectives (technical, business, creative) shape your approach? What role did user education play?”
Real-World Application: “How would your organization handle this situation? What’s similar or different from Creative Solutions’ challenges?”
Type System: “How did understanding FakeBat as a Downloader/Social type help you choose response strategies?”
Learning Moments: “What will you remember from this scenario? How might you apply user education in your own work?”
If Players Chose Security First (Path A):
Emphasize: Professional responsibility and long-term client trust - delaying presentation shows commitment to security Connect to: Real businesses that chose security over expediency and built stronger client relationships Missed opportunity: They didn’t see business continuity angle - but security foundation is solid
If Players Chose Business First (Path B):
Emphasize: Real-world pressure and risk management - understanding business context is valid Connect to: Incidents where “good enough for now” led to major breaches - when does technical debt become unmanageable? Missed opportunity: Reinfection risk still exists - what’s the follow-up plan?
If Players Chose Hybrid (Path C):
Emphasize: Excellent risk management and balanced thinking - no perfect answer exists Connect to: Real incident response balances business continuity with security - this is professional-level decision making Extension: How would you measure success of user education program? How would you prevent next infection?
If Players Struggled:
Focus on: They learned how business pressure affects security decisions - that’s the core lesson Avoid: Emphasizing “optimal” solution - real IR teams struggle with these trade-offs too Next time: Try similar small business scenario with different malmon type to build confidence
If Players Excelled:
Challenge: “How would you design a security program for Creative Solutions with their budget constraints?” Extension: Try Tier 2 scenario (Poison Ivy) with more complex technical challenges Share: Ask them to mentor newer players in future sessions
Connections to Other Scenarios:
Malware & Monsters Materials:
Related Scenarios:
Real-World Learning:
Type Effectiveness Quick Ref:
Victory Condition:
Identify/remove FakeBat + Restore workstations + Protect client data + Maintain Friday timeline + Implement user education
NPC Quick Ref:
Pressure Timeline:
Friday 2 PM - Client presentation (48 hours from scenario start)
Common Player Pitfalls:
Stuck? Use:
Pacing Adjustments:
Running Long:
Running Short:
Congratulations on completing this scenario!
Post-Session Tasks:
Questions or Issues?
See the Using Scenario Slides Guide for troubleshooting and facilitation tips.
Session Controls:
malwareMonsters.session.export() - Download session statemalwareMonsters.session.clear() - Reset for next session