FakeBat - Creative Solutions Studio

Client presentation pressure creates fake update vulnerability

Malware & Monsters

2025-12-04

Welcome to Malware & Monsters

FakeBat Scenario

Scenario Details:

• Malmon: FakeBat (Downloader/Social) ⭐⭐
• Difficulty: Tier 1 (Intermediate)
• Organization: Creative Solutions Studio - Digital marketing agency, 45 employees
• Duration: 75-140 minutes
• Format: Lunch & Learn or Full Game

IM Quick Start:

Press ‘P’ for player-safe mode before showing slides!

Other essential keys:

• S - Speaker view
• T - Toggle theme
• B - Black screen

IM REMINDER: Activate player-safe mode NOW by pressing ‘P’ before advancing!

This first slide is safe to show players, but reminds YOU to activate player-safe mode. Once activated, all IM-only slides will be automatically skipped during navigation.

Scenario Overview

Creative Agency Under Attack

The Situation:

Creative Solutions Studio is managing client campaigns when employees notice their browsers redirecting to unexpected websites and displaying persistent advertisements. Staff report installing “critical software updates” for design tools, but these were sophisticated software masquerading attacks delivering multi-stage trojan payloads. Major client presentation scheduled for Friday.

Your Role:

You are the incident response team for Creative Solutions Studio. The agency’s business owner has called you in because the compromised design workstations are threatening both client data security and the ability to deliver a critical presentation that could make or break the company’s reputation.

Victory Condition:

Successfully identify and remove FakeBat downloader, restore design workstation integrity, protect client data, maintain Friday presentation timeline, and implement user education to prevent recurrence.

IM Notes:

• Hook creates immediate tension: client presentation deadline + security breach
• Small business context means limited IT resources and high stakes for client relationships
• Victory condition balances technical remediation with business continuity
• Transition: “Let’s meet the people you’ll be working with…”

Organization Context

Creative Solutions Studio

Overview:

• Type: Digital Marketing Agency
• Size: 45 employees
• Location: Local business serving community clients
• Mission: Creative services and digital marketing for small-to-medium businesses

Current State:

Managing multiple client campaigns with compromised design workstations affecting creative staff workflow. Limited IT resources (part-time coordinator) creating response challenges.

Key Systems:

• Adobe Creative Suite workstations
• Client campaign management platforms
• Browser-based research and collaboration tools
• File sharing and client asset storage

Immediate Pressure:

Friday client presentation - major pitch that represents significant business opportunity. Cannot be rescheduled. Losing this account would severely impact agency survival.

IM Guidance:

• Small business context creates unique vulnerability: limited IT budget, high client dependency
• Friday deadline is real pressure - not just background detail
• Creative workflow means designers need specific tools - can’t just “use something else”
• Part-time IT coordinator (Jake) is learning as he goes - not a security expert

The Team

Key People You’ll Work With

Essential NPCs (appear in all rounds):

1. Lisa Martinez - Business Owner Managing agency operations while worried about reputation damage and client confidence

2. Jake Thompson - IT Coordinator Part-time IT support investigating unauthorized software installations and learning about sophisticated malware

3. Sarah Chen - Creative Director Reporting design software “updates” and persistent browser ads, frustrated by workflow disruption before major presentation

4. Mark Rodriguez - Client Relations Manager Assessing impact on client data security and managing client communication about potential exposure

IM Note: These are intentionally brief - let personality emerge through roleplay. Don’t reveal hidden agendas or secrets yet - those are on the next slide (IM-only).

NPC Secrets & Motivations

Hidden Information for IM

Lisa Martinez (Business Owner):

• Hidden Agenda: Desperate to avoid losing the Friday client - willing to cut corners on security if it means meeting the deadline
• Secret: Agency finances are tight; losing this client could mean layoffs
• Roleplay Tip: Start professional but let desperation show as time pressure increases. Ask “can we just clean the browsers and present Friday?”
• Emotional Arc: Moves from denial → panic → acceptance of security investment need

Jake Thompson (IT Coordinator):

• Hidden Agenda: Overwhelmed and in over his head - this is way beyond his skill level but doesn’t want to admit it
• Secret: Just Googled “what is a trojan” this morning; part-time role, not a security professional
• Roleplay Tip: Offer simple solutions that won’t work (antivirus, browser reset). Gradually reveal technical complexity as players guide him.
• Emotional Arc: Moves from confidence → overwhelm → gratitude for expert guidance

Sarah Chen (Creative Director):

• Hidden Agenda: Frustrated that “IT problems” are derailing her creative work; sees security as IT’s job, not hers
• Secret: Clicked the fake update because she was rushing to meet a deadline; feels guilty but defensive
• Roleplay Tip: Initially dismissive (“can’t you just fix it?”), gradually understands user education importance
• Emotional Arc: Moves from frustration → defensiveness → recognition of shared responsibility

Mark Rodriguez (Client Relations Manager):

• Hidden Agenda: Terrified clients will find out and leave; wants to solve this quietly without disclosure
• Secret: Already had one client ask about “weird emails” from the agency
• Roleplay Tip: Pushes for minimal disclosure, resists transparency. Voice of client relationship concerns.
• Emotional Arc: Moves from cover-up mindset → understanding client trust requires honesty

IM ONLY: This slide contains all NPC secrets. Use these to create dramatic reveals and character depth during roleplay. Players should discover these through investigation and interaction.

Key tension: Business pressure (Lisa, Mark) vs. technical reality (Jake learning limits) vs. workflow frustration (Sarah)

Initial Symptoms

What You Can Observe

Reported Issues:

• Browser redirections to unexpected websites during client research
• Persistent advertisements appearing in design software workflows
• “Critical update” notifications for Adobe Creative Suite and design tools
• Client project files behaving unexpectedly on compromised workstations

Help Desk Reports:

“Sarah and three other designers are complaining about constant pop-ups and their browsers taking them to weird shopping sites. They all said they installed updates this morning to fix it, but it’s getting worse.”

Observable Evidence:

• Multiple browser extensions with suspicious names installed
• Modified browser startup pages and search engines
• Unfamiliar processes running on design workstations
• Network traffic to unknown domains during “idle” periods

Timeline:

• Monday 9 AM: First reports of browser redirects
• Tuesday 3 PM: Multiple staff install “critical updates”
• Wednesday 10 AM: Current moment - escalating issues
• Friday 2 PM: CLIENT PRESENTATION DEADLINE

IM Facilitation:

• Let players identify pattern: fake updates made it WORSE, not better
• Browser behavior suggests Downloader/Social type - guide them toward this
• Friday deadline is approaching fast - creates natural urgency
• Use Sarah’s frustration to add emotional weight: “I can’t work like this!”

What’s Really Happening

Complete Technical Picture (IM Reference)

Actual Infection Vector:

Malicious advertisements (malvertising) on design resource websites led to fake software update pages. These pages mimicked legitimate Adobe and design tool update interfaces, delivering FakeBat downloader trojan when designers clicked “Install Critical Security Update.”

Full Attack Timeline:

• Monday 8:30 AM: Sarah visits design resource blog, encounters malvertising
• Monday 9:00 AM: Sarah clicks fake Adobe update, downloads FakeBat installer
• Monday 2:00 PM: FakeBat establishes browser persistence, begins displaying ads
• Tuesday Morning: Three more designers encounter similar fake updates on different sites
• Tuesday 3:00 PM: Designers install fake “fix” updates, actually installing additional payloads
• Wednesday (Current): FakeBat fully established with browser hijacking, credential harvesting, and trojan platform capabilities

Hidden Evidence:

Evidence players can discover through investigation:

1. Browser forensics: Malicious extensions named “Adobe_Security_Update” and “CreativeSuite_Optimizer” (requires browser examination)
2. Download history: ZIP files from suspicious domains disguised as update packages (requires file system investigation)
3. Network logs: Connections to ad networks and C2 infrastructure (requires network monitoring)
4. Registry/startup items: Persistence mechanisms ensuring reinfection after simple cleanup (requires system forensics)

What Players Don’t Know Yet:

• Simple browser cleanup won’t work - FakeBat has system-level persistence
• Three more designers installed fake updates this morning (reinfection cycle)
• FakeBat is harvesting browser credentials and client access tokens
• The malware communicates with command and control servers to download additional payloads

IM Strategy: Reveal these details gradually as players investigate. Don’t give away everything at once - make them work for discoveries.

Round 1: Let them discover malicious extensions and fake updates Round 2: Reveal persistence mechanisms and reinfection cycle Round 3: Show full scope of credential harvesting if they dig deep enough

Use Jake’s limited knowledge to create discovery moments: “Oh wow, I didn’t know malware could do that…”

Investigation Progress

Discoveries So Far

Round 1 Discoveries:

Round 2 Discoveries:

Round 3 Discoveries:

IM Usage: Check boxes as players make discoveries. This helps you track progress and ensures you don’t accidentally skip important reveals. The counter shows progress visually.

If players miss discoveries, use NPC hints: Sarah mentions more infections, Jake finds browser extensions, Lisa discovers timeline pressure.

Complete Investigation Map

All Possible Paths & Discoveries (IM Reference)

Round 1: Discovery Phase

IF players investigate browser behavior first: → They discover malicious extensions and fake update downloads leading to FakeBat identification

IF players investigate network traffic first: → They discover C2 communications and ad network connections leading to Downloader classification

IF players miss both: → Jake reveals: “I found these weird browser extensions called ‘Adobe_Security_Update’ - is that normal?”

Round 2: Deep Dive

Branching point based on Round 1 approach:

• Browser-First Path: Players discover persistence mechanisms, Jake reports “more designers just installed fake updates this morning” - reinfection crisis
• Network-First Path: Players discover C2 infrastructure, Mark worries about client data exfiltration - security disclosure dilemma

Round 3: Response Decision

Critical choices with consequences:

1. Emergency Quick Fix: Simple browser cleanup + Friday presentation → SUCCESS for presentation but REINFECTION within days (incomplete remediation)
2. Comprehensive Remediation: Full workstation reimaging + user education → DELAY Friday presentation but COMPLETE security restoration
3. Hybrid Approach: Priority workstations cleaned properly + others get quick fix + immediate user training → PARTIAL success, managed risk, meets deadline

Stuck? Use These:

• Subtle: Sarah mentions colleague just installed another “update” this morning
• More Obvious: Jake asks “Should I look at what these browser extensions are actually doing?”
• Direct: Lisa demands “Can someone explain to me what we’re actually dealing with here?”

Facilitation: Most teams will discover FakeBat through browser forensics (natural for this scenario). The reinfection cycle is the “aha moment” - simple cleanup won’t work.

Key drama: Lisa’s Friday deadline vs. proper remediation. No perfect answer - all choices have trade-offs.

Meet the Malmon

FakeBat

Classification: Downloader / Social

Behavioral Patterns:

• Software masquerading - disguises as legitimate software updates
• Browser hijacking and persistent advertisement injection
• Multi-stage payload delivery platform
• Credential and session token harvesting

Observable Indicators:

• Unauthorized browser extensions with official-sounding names
• Browser redirects to unexpected advertising and shopping sites
• Modified browser configurations (homepage, search engine, startup behavior)
• Downloaded ZIP files from suspicious domains masquerading as updates

Threat Level: ⭐⭐ (Intermediate)

IM Timing: Reveal this slide when players correctly identify FakeBat as a Downloader/Social type OR after they’ve examined browser extensions and fake update downloads.

Don’t show too early - let them do the detective work! Good trigger: when someone says “Is this some kind of fake update malware?”

Response Strategies

What Might Work?

Potential Approaches:

Players have suggested:

• Browser forensics and extension analysis
• Software verification protocols
• Workstation reimaging
• User education about fake updates
• Network monitoring and filtering
• Antimalware scanning

Resources Available:

• Jake’s IT skills (limited but learning)
• Players’ technical expertise
• Backup systems for client files
• Time until Friday (limited!)

Known Effectiveness:

Based on malmon type (Downloader/Social):

• Strong Against: Software verification, Browser forensics, User education
• Moderate Against: Workstation reimaging, Network monitoring
• Weak Against: Simple browser cleanup, Antivirus alone, Ignoring user behavior

Time Pressure:

48 hours until Friday client presentation - cannot be rescheduled without major business impact

IM Guidance: Let players brainstorm approaches first. Validate their ideas using type effectiveness.

Key insight to guide them toward: FakeBat exploits user trust and browser vulnerabilities - technical-only solutions miss the social engineering component. User education is CRITICAL to prevent reinfection.

Complete Type Effectiveness

Full Response Matrix (IM Reference)

Type Matchups for Downloader/Social:

Super Effective (+3):

• Browser Forensics: Reveals persistence mechanisms, malicious extensions, modified configurations
• Software Verification Protocols: Teaches staff to identify legitimate vs fake updates, prevents reinfection

Effective (+2):

• User Education: Addresses social engineering vulnerability, but needs follow-through
• Workstation Reimaging: Removes malware completely, but time-intensive and requires backups

Moderately Effective (+1):

• Antimalware Scanning: May detect some components but misses browser-based persistence
• Browser Reset: Removes some symptoms but malware reinstalls from system-level persistence
• Network Monitoring: Detects C2 traffic but doesn’t address user behavior vulnerability

Normal Effectiveness (0):

• Standard patching: Keeps systems current but doesn’t address social engineering

Ineffective (-1):

• Simple Browser Cleanup: Temporary fix, malware persists at system level and reinstalls

Very Ineffective (-2):

• Ignoring Persistence: Malware returns immediately after cleanup
• Trusting Fake Updates: Exactly what got them into this - reinforces vulnerability

Success Probabilities:

• Optimal approach (Browser Forensics + Software Verification + User Education): 85% success with long-term protection
• Good approach (Workstation Reimaging + User Education): 75% success, time-intensive
• Risky approach (Antimalware + Browser Reset): 45% success, high reinfection risk
• Poor approach (Simple Browser Cleanup): 20% success, almost certain reinfection

IM Usage: Use this to calculate outcomes when players choose approaches.

Key principle: Downloader/Social types REQUIRE addressing both technical AND human elements. Pure technical solutions fail because users will just click the next fake update.

Best outcome: Players combine technical remediation with user education program.

Round 1 Guide: Discovery

Facilitation Notes (IM Only)

Round 1 Objectives:

• Players identify FakeBat malmon family (Downloader/Social)
• Players find malvertising → fake update infection vector
• Players map scope: 4+ designer workstations compromised
• Time: 25-35 minutes

Key NPCs This Round:

• Sarah: Reports installing “Adobe update” from pop-up - defensive about clicking
• Jake: Shows players browser extensions, confused about why antivirus didn’t catch this

Critical Inflection Point:

Sarah mentions: “Three other designers installed the same update I did - we were all trying to fix the browser problems.” → Players realize reinfection cycle is active

IM Scratchpad:

Use this for:

• Tracking which player theories are closest
• Recording how many workstations players have identified
• Noting when to reveal Jake’s technical limitations
• Planning Sarah’s defensive → helpful transition

Pacing: If stuck after 15 minutes, have Jake offer to show browser extensions. If racing ahead, add complication: Mark reports client asking about “weird emails from your agency.”

Ideal Round 1 end: Players correctly identify FakeBat (Downloader/Social), understand fake update vector, realize multiple workstations affected.

Round 2 Guide: Investigation

Deep Dive Facilitation (IM Only)

Round 2 Objectives:

• Players understand multi-stage payload and persistence mechanisms
• Players identify browser-level AND system-level compromise
• Players face business vs. security decision
• Time: 30-40 minutes

NPC Escalation:

• Lisa: “Friday is 48 hours away - do we have time for a full cleanup? What’s the minimum to be safe for the presentation?”
• Jake: Discovers three more designers installed fake updates THIS MORNING - reinfection is active
• Sarah: Frustrated workflow disruption, asks “Why can’t we just use different computers?”
• Mark: Worried voice: “If clients find out their data was on compromised systems…”

Critical Decision:

Players must choose cleanup approach balancing: - Thoroughness (complete remediation) vs Speed (meet Friday deadline) - Security (comprehensive cleanup) vs Usability (designers need tools) - Transparency (tell clients) vs Discretion (silent cleanup)

Branching Paths:

• Path A (Security First): Full remediation, delay presentation → Complete malware removal but business impact
• Path B (Business First): Quick cleanup, meet deadline → Presentation happens but reinfection risk high
• Path C (Hybrid): Priority workstations + user education + risk management → Balanced approach with managed trade-offs

Common Player Mistakes:

1. “Just reimage everything” → Jake: “That’s 4+ workstations, client files, software reinstalls… Lisa, how many days would that take?”
2. “Simple antivirus scan will fix it” → Jake runs scan, reports back: “Antivirus found some stuff but browsers are still acting weird”
3. “Don’t tell the clients anything” → Mark discovers client already received suspicious email from agency address - cover-up backfires

Facilitation: This is peak drama. Lisa’s desperation vs. security reality creates natural tension.

No perfect answer exists - this is about trade-offs and risk management. Let players struggle with the decision. Most realistic outcome: Hybrid approach with user education as critical component.

If players totally stuck: Have Jake ask “Should we teach people how to tell real updates from fake ones?”

Round 3 Guide: Response

Resolution Facilitation (IM Only)

Round 3 Objectives:

• Players implement chosen approach and face consequences
• Players establish user education program (hopefully!)
• Players achieve (or partially achieve) victory condition
• Time: 25-35 minutes

Response Implementation:

Based on Round 2 choice, players now execute:

• Path A (Security First): Comprehensive cleanup but presentation rescheduled → Challenge: Lisa must explain delay to client, tests business relationship
• Path B (Business First): Quick fix for Friday → Challenge: Reinfection during presentation prep, emergency mid-presentation malware behavior
• Path C (Hybrid): Balanced approach → Challenge: Managing risk, prioritizing critical workstations, training users under time pressure

Success Calculation:

Type effectiveness + Business continuity + User education quality = Outcome

Possible Outcomes:

1. Complete Success: Browser forensics + Software verification + User education implemented → Presentation happens Friday, malware removed, staff trained, long-term protection (requires Path C with strong execution)

2. Partial Success: Technical cleanup good but user education rushed → Presentation succeeds, malware removed from critical systems, but reinfection risk remains (common outcome)

3. Complicated Success: Business wins but security compromised → Presentation happens but incomplete remediation, client notification required later (Path B outcome)

4. Failure Forward: Cleanup delays presentation but builds security foundation → Business takes short-term hit, long-term security gains (Path A outcome - reframe as investment)

Unexpected Events:

• During cleanup: Jake finds client credentials in FakeBat harvesting logs → Immediate client notification required
• During presentation prep: More fake updates circulating on design blogs → User education becomes urgent
• During final testing: One designer admits clicking ANOTHER fake update yesterday → Reinforces education need

Closure: Even if Friday presentation delayed, frame as “making the right security choice that protects client relationships long-term.”

Most rewarding outcome: Players realize user education is the key to preventing recurrence - small business can’t afford complex technical solutions but CAN afford teaching 45 employees.

End with Sarah saying: “I get it now - I’m not just a user, I’m part of the security team.”

Debrief: Key Learnings

What Did We Learn?

Technical Concepts:

• Software masquerading and fake update delivery
• Downloader/Social malmon type characteristics
• Browser hijacking and persistence mechanisms
• Multi-stage payload deployment
• Small business security on limited budgets

Real-World Parallels:

FakeBat represents real malware families like SocGholish, FakeUpdates, and various browser hijackers that exploit user trust in software updates. The malvertising → fake update → trojan platform chain is common in real attacks targeting businesses.

Collaboration Skills:

• Balancing business continuity with security thoroughness
• Making decisions with incomplete information under time pressure
• Cross-functional communication (technical → business language)
• User education as security control
• Risk management and trade-off evaluation

MITRE ATT&CK Techniques:

• T1204.002 (User Execution: Malicious File)
• T1189 (Drive-by Compromise)
• T1176 (Browser Extensions)
• T1539 (Steal Web Session Cookie)

Discussion Prompts:

• “What surprised you about this scenario?”
• “How did the Friday deadline affect your security decisions?”
• “What would you do differently next time?”
• “How does small business context change security approaches compared to enterprise?”

Debrief: Discussion

Reflection Questions

For the Group:

1. Decision-Making: “What was the hardest decision you made? How did business pressure influence your security choices?”

2. Team Dynamics: “How did different perspectives (technical, business, creative) shape your approach? What role did user education play?”

3. Real-World Application: “How would your organization handle this situation? What’s similar or different from Creative Solutions’ challenges?”

4. Type System: “How did understanding FakeBat as a Downloader/Social type help you choose response strategies?”

5. Learning Moments: “What will you remember from this scenario? How might you apply user education in your own work?”

IM Facilitation: Let players share stories and insights. Draw out observations about:

• How client pressure creates security vulnerabilities
• Why user education matters more in small business (limited tech budget)
• Trade-offs between speed and thoroughness
• Human element in Downloader/Social malmon types

Celebrate creative solutions even if not “optimal” - security is about risk management, not perfection.

IM Debrief Notes

Tailoring Discussion to Session (IM Reference)

If Players Chose Security First (Path A):

Emphasize: Professional responsibility and long-term client trust - delaying presentation shows commitment to security Connect to: Real businesses that chose security over expediency and built stronger client relationships Missed opportunity: They didn’t see business continuity angle - but security foundation is solid

If Players Chose Business First (Path B):

Emphasize: Real-world pressure and risk management - understanding business context is valid Connect to: Incidents where “good enough for now” led to major breaches - when does technical debt become unmanageable? Missed opportunity: Reinfection risk still exists - what’s the follow-up plan?

If Players Chose Hybrid (Path C):

Emphasize: Excellent risk management and balanced thinking - no perfect answer exists Connect to: Real incident response balances business continuity with security - this is professional-level decision making Extension: How would you measure success of user education program? How would you prevent next infection?

If Players Struggled:

Focus on: They learned how business pressure affects security decisions - that’s the core lesson Avoid: Emphasizing “optimal” solution - real IR teams struggle with these trade-offs too Next time: Try similar small business scenario with different malmon type to build confidence

If Players Excelled:

Challenge: “How would you design a security program for Creative Solutions with their budget constraints?” Extension: Try Tier 2 scenario (Poison Ivy) with more complex technical challenges Share: Ask them to mentor newer players in future sessions

Connections to Other Scenarios:

• Similar malmon: FakeBat Gaming Cafe - same malmon, different context (customer-facing systems vs. internal tools)
• Next difficulty: Poison Ivy Professional Services - Tier 2 RAT with more technical depth
• Different context: Crypter variants - explores ransomware angle with similar small business pressure

Remember: The best debriefs are driven by player observations, not IM lectures.

Key insight for this scenario: Small businesses face unique security challenges - limited resources make user education MORE important, not less. Creative Solutions can’t afford enterprise security tools, but they CAN afford to teach 45 people to recognize fake updates.

Additional Resources

Continue Learning

Malware & Monsters Materials:

• Malmon Profile: Deep dive into FakeBat characteristics
• Scenario Card: Quick-reference for this scenario
• Planning Guide: Full IM facilitation notes

Related Scenarios:

• Similar Difficulty: FakeBat Gaming Cafe (Tier 1), Clipbanker Startup scenarios
• Next Challenge: Poison Ivy Professional Services (Tier 2)
• Different Context: FakeBat Healthcare Clinic - same malmon, medical context

Real-World Learning:

• MITRE ATT&CK: Techniques T1204.002, T1189, T1176, T1539
• Case Studies: SocGholish campaigns, FakeUpdates malware family
• Further Reading: Browser-based malware, software masquerading techniques, small business security

IM: Share these links in chat or follow-up email. Encourage players to:

• Read FakeBat malmon profile for deeper technical understanding
• Try Gaming Cafe variant to see how context changes approach
• Explore Poison Ivy (Tier 2) when ready for more challenge

IM Cheat Sheet

Essential Reference (Keep This Visible)

Type Effectiveness Quick Ref:

• Super (+3): Browser Forensics, Software Verification
• Effective (+2): User Education, Workstation Reimaging
• Ineffective (-1): Simple Browser Cleanup
• Very Ineffective (-2): Ignoring Persistence, Trusting Fake Updates

Victory Condition:

Identify/remove FakeBat + Restore workstations + Protect client data + Maintain Friday timeline + Implement user education

NPC Quick Ref:

• Lisa: Business owner, desperate for Friday presentation
• Jake: IT coordinator, learning as he goes
• Sarah: Creative director, clicked fake update, defensive
• Mark: Client relations, wants quiet resolution

Pressure Timeline:

Friday 2 PM - Client presentation (48 hours from scenario start)

Common Player Pitfalls:

1. “Just reimage” → Jake: “4+ workstations, days of work”
2. “Antivirus fixes it” → Scan misses browser persistence
3. “Don’t tell clients” → Cover-up backfires when client gets suspicious email

Stuck? Use:

• Jake: “Should I show you these weird browser extensions?”
• Sarah: “Three more people installed updates this morning”
• Lisa: “Can someone explain what we’re dealing with?”

Pacing Adjustments:

Running Long:

• Skip detailed malware analysis
• Condense NPC subplots
• Fast-forward to decision point

Running Short:

• Expand client notification dilemma
• Add vendor coordination subplot
• Introduce competitive exploitation angle

IM Tip: Keep this slide open in speaker view during gameplay. Everything you need at a glance.

Key facilitation focus: User education is the hero of this scenario - small business security when you can’t afford enterprise tools.

Scenario Complete

FakeBat Small Business - Session End

Congratulations on completing this scenario!

Post-Session Tasks:

1. Share resource links with players
2. Encourage feedback on what worked/what didn’t
3. Suggest next scenarios based on their interests
4. Export session state if players want to keep notes

Questions or Issues?

See the Using Scenario Slides Guide for troubleshooting and facilitation tips.

Session Controls:

• malwareMonsters.session.export() - Download session state
• malwareMonsters.session.clear() - Reset for next session

Scenario created for Malware & Monsters - Issue #78 Phase 1 FakeBat Small Business - Tier 1 (Intermediate) Version 1.0 - December 2025