Winnti – BioGenix Solutions

Chinese APT Supply Chain Espionage

Welcome to Malware & Monsters!

What You’re About to Experience

You’re part of BioGenix Solutions’ incident response team. CFCS (Center for Cybersikkerhed) has tipped off your CISO – indicators from a European campaign match your infrastructure. You need to find out if you’re compromised, how deep the attacker is, and what they’ve taken.

Your Mission

Investigate and contain a sophisticated supply chain intrusion while protecting proprietary R&D, preserving forensic evidence, coordinating with CFCS, and deciding how far to trust a vendor whose software may have been weaponized.

Quick Start for Facilitators

New to facilitating Malware & Monsters? Start here:

IM Quick Start Guide – Everything you need to run this scenario in one concise document

The Hook

Thursday Afternoon, 13:00 – CFCS Contacted Your CISO Last Night

It is Thursday afternoon at BioGenix Solutions. CFCS contacted your CISO last night with intelligence from a European campaign – indicators match your infrastructure. Your teams are assembled to investigate.

What CFCS Shared and What Your SOC Found This Morning

CFCS Intelligence: Indicators from a compromised European biotech firm match traffic patterns in your environment – specifically, SNI-spoofed HTTPS sessions mimicking Microsoft Graph API destined for a domain registered 4 months ago via privacy proxy
EDR Console: Three bioreactor calibration workstations generated unexpected child processes starting at 22:14 last night – shortly after the CaliSyncPro software update completed
Azure AD Alerts: HANSEN-SAP-01, which the ITSM system lists as scheduled for decommissioning, authenticated into your Azure cloud R&D environment twice last night
GenixLibrary Audit Log: Six sequential reads of DNA sequence files between 22:21 and 23:48 – no corresponding user session, no scheduled job
Network Monitoring: Anomalous outbound HTTPS volume from the cloud R&D environment, classified by DLP as Microsoft telemetry

CFCS believes you are an active target in a supply chain campaign. Your SOC findings this morning confirm something is wrong. The question is how deep, and how long it has been there.

Organization Context

BioGenix Solutions

Sector: Precision fermentation and industrial enzyme engineering

Size: 1,800 employees, headquarters in Copenhagen

Current Situation: BioGenix completed a merger 6 months ago, inheriting legacy infrastructure that has not yet been fully integrated or decommissioned. The company’s crown jewel – GenixLibrary – contains years of proprietary genomic and fermentation IP.

Key Systems

GenixLibrary – proprietary genomic sequence and fermentation IP repository, hosted in Azure cloud R&D environment. This is the crown jewel.
Collaborative Bridge – VPN integration established during the post-merger infrastructure consolidation, connecting on-premise systems to the Azure R&D environment
Hansen-Core SAP NetWeaver – legacy ERP instance (HANSEN-SAP-01), scheduled for decommissioning since September 2024, still network-connected. Part of the inherited infrastructure.

Why This Matters Now

GenixLibrary contains BioGenix’s entire competitive advantage in precision fermentation. If a foreign adversary has been systematically collecting this IP, the damage is permanent and irreversible – no amount of incident response recovers trade secrets once exfiltrated.

Initial Symptoms

What You’re Working With

Bioreactor Workstation Alerts

Three workstations (BIOGEN-RD-WS-01, WS-02, WS-03) all show the same pattern: the calibration service calibsvc.exe spawned a PowerShell process with an encoded command, which then ran net.exe user svc-rdbridge-admin /domain.

The CaliSyncPro update v4.2.1 completed at 22:13 last night. The process anomalies started at 22:14.

HANSEN-SAP-01 Authentication Activity

HANSEN-SAP-01 is an on-premise SAP NetWeaver server that should be offline – it was marked for decommissioning 18 months ago. Last night it authenticated as svc-rdbridge-admin into your Azure AD environment, bypassing Conditional Access via a legacy exception called COLLBRIDGE-EXCL-003.

GenixLibrary Off-Hours Access

Six sequential batch reads of GenixLibrary sequence files, originating from the Azure cloud environment, between 22:21 and 23:48. The account used: svc-rdbridge-admin. No interactive logon preceded any of these sessions.

The DLP Miss

Anomalous outbound HTTPS traffic classified by your DLP system as Microsoft Graph API telemetry. The destination resolves to graph-api-sync.bioanalytics.net – a domain registered 4 months ago via a privacy proxy. CFCS flagged this exact pattern from another European victim.

NPCs: Your Key Contacts

People Who Need Your Help

Phillip Christensen – CEO

What They Care About: Protecting BioGenix’s market position, IP valuation, and reputation with partners and regulators

Current State: Not yet fully briefed – knows there are “some security alerts” but doesn’t know the scope

Helpful For: Authorization for aggressive containment actions, vendor relationship decisions, board-level communication

Potential Barrier: May resist actions that create public exposure or disrupt ongoing business relationships

Katrine Fønsmark – CTO

What They Care About: R&D pipeline integrity, system availability, the security of GenixLibrary

Current State: Alarmed – she knows GenixLibrary is the company’s crown jewel and any compromise threatens BioGenix’s competitive position

Helpful For: Technical architecture, access controls, understanding what GenixLibrary data was accessible, authorizing forensic work on cloud R&D systems

Potential Barrier: Will want forensic work to be thorough but fast, which creates tension with evidence preservation

Bent Sejrø – CISO

What They Care About: Containment, evidence preservation, CFCS coordination, understanding the full scope of compromise

Current State: Running the incident response – CFCS contacted him directly last night. He has escalated to the teams for structured investigation and decision-making.

Helpful For: Forensic strategy, CFCS coordination, what ITSM records show about HANSEN-SAP-01, understanding the CFCS intelligence context

Potential Barrier: Cautious by nature; may slow decisions trying to verify before acting

Dr. Ida Woetmann – VP Research & Development

What They Care About: GenixLibrary data integrity, her research team’s work, understanding what was accessed and whether results are still valid

Current State: Deeply concerned – she knows exactly what is in GenixLibrary and understands the competitive implications if it has been exfiltrated

Helpful For: What data is in GenixLibrary, which datasets represent the highest-value targets, what an adversary would want

Potential Barrier: May become emotionally focused on one specific dataset or research program and narrow the team’s scope

NPC Hidden Agendas

Character Secrets & Development Arcs

Phillip Christensen – CEO

Hidden Agenda: BioGenix’s board expects the post-merger integration to go smoothly. A major security incident involving legacy infrastructure inherited from the merger reflects poorly on his leadership.

Secret Fear: That the exfiltration scope, once disclosed to CFCS and eventually to partners, damages BioGenix’s reputation and IP valuation permanently.

Character Arc:

Initial: “Handle this quietly. We cooperate with CFCS but I want to control what goes public.”
Mid-Game: Confronts the reality that CFCS coordination requires sharing indicators, and other victims are already aware
Resolution: Authorizes full CFCS cooperation and vendor notification – understands that coordinated response protects BioGenix more than secrecy

Roleplay Notes: Phillip is not malicious – he’s protecting his company. His arc is about understanding that coordinated transparency with CFCS and the vendor is more protective than trying to manage this alone.

Katrine Fønsmark – CTO

Hidden Agenda: She approved the COLLBRIDGE-EXCL-003 Conditional Access exception during the post-merger infrastructure consolidation. She knows this, and she’s aware it’s the policy gap that enabled the lateral movement.

Secret Fear: That the forensic investigation will surface her name on that exception approval.

Character Arc:

Initial: Pushes hard on containment, volunteers forensic resources
Mid-Game: Becomes evasive when the authentication policy gap is identified
Resolution: Discloses her role in the exception – frames it as a post-merger integration decision that needed lifecycle review

Roleplay Notes: Katrine is an asset to the response – her obstruction only appears on one specific topic. Push her gently if the team notices inconsistency in her cooperation.

Bent Sejrø – CISO

Hidden Agenda: He tried to get HANSEN-SAP-01 decommissioned six months ago. The ITSM ticket is still open. Facilities and Finance blocked it for budget reasons.

Secret Frustration: He has documentation of the risk – and he’s furious it went unaddressed.

Character Arc:

Initial: Methodical, process-oriented, cautious
Mid-Game: Reveals the ITSM history – ITSM-29847 open since 2024-08-15, blocked twice
Resolution: Uses the incident to make the case for governance reform on legacy system decommissioning backlog

Roleplay Notes: Bent is a sympathetic figure. His caution and frustration are both justified. He becomes more decisive as the team validates his prior risk assessments.

Dr. Ida Woetmann – VP R&D

Hidden Agenda: She suspects the attacker specifically targeted the highest-value GenixLibrary datasets – the core fermentation IP and proprietary enzyme sequences – because those represent BioGenix’s entire competitive moat.

Secret Knowledge: She knows which competitor nations would benefit most from this specific data – she’s been tracking parallel research programs at Chinese state-backed institutions.

Character Arc:

Initial: Focused narrowly on her active research programs
Mid-Game: Raises the core IP concern – explains what the targeted datasets contain and their strategic value
Resolution: Provides intelligence context that supports the CFCS coordination and helps scope the damage assessment

Roleplay Notes: Ida’s technical knowledge is a pivot point for understanding the strategic dimension. She can help the team understand why this incident is more than corporate espionage.

The Complete Technical Picture

What’s Really Happening – Winnti Supply Chain Espionage

Attack Timeline

2025-11-20: Domain graph-api-sync.bioanalytics.net registered via privacy proxy.

2025-12-04 (estimated): CaliSyncPro update v4.2.1 compiled with Winnti dropper embedded. CaliSync Instrumentation GmbH is fully compromised – their build pipeline is producing weaponized updates. Their code-signing certificate (SN 4A9F02B1) remains VALID.

2025-12-04: CaliSyncPro v4.2.1 delivered via vendor update channel. OCSP check performed at deployment – certificate returns VALID (because it has not been revoked; the supplier is compromised, not their certificate). Winnti dropper executes on three bioreactor workstations, harvests NTLM credential hash for svc-rdbridge-admin from memory via encoded PowerShell command.

2025-12-10 (first session): HANSEN-SAP-01 uses harvested svc-rdbridge-admin hash (Pass-the-Hash via NTLM) to authenticate through the Collaborative Bridge into Azure AD, bypassing Conditional Access via COLLBRIDGE-EXCL-003. First GenixLibrary batch read session: 19 files, Fermentation-Seq-Archive-2023.

2025-12-10 to 2026-04-14: Periodic off-hours batch read sessions. ~7 GB of historical R&D data exfiltrated via port 443 to graph-api-sync.bioanalytics.net, TLS SNI spoofed as graph.microsoft.com. In the final weeks, active collection shifts to core IP – ~2-3 GB of high-value enzyme engineering datasets targeted.

2026-04-15 (overnight): Process anomaly on calibration workstations triggers EDR alert. CFCS contacts Bent Sejrø with intelligence from a European campaign – indicators match BioGenix infrastructure.

2026-04-16 13:00 (now): Teams assembled. CFCS intelligence and SOC findings converge.

Technical Mechanisms

Supply Chain Entry:

Winnti delivered via weaponized CaliSyncPro v4.2.1 update from CaliSync Instrumentation GmbH
CaliSync GmbH is fully compromised – their build pipeline produces weaponized updates while the supplier remains unaware
Code-signing certificate (SN 4A9F02B1) is VALID – OCSP was checked and returned valid. Everything looks legitimate, but the payload is malicious.
Dropper executed as child process of calibsvc.exe on 3 bioreactor workstations
Encoded PowerShell harvested svc-rdbridge-admin NTLM hash from memory

Kernel-Level Persistence on HANSEN-SAP-01:

Signed kernel driver (VALID certificate 4A9F02B1) loaded at ring-0
Direct Kernel Object Manipulation (DKOM) via NtQuerySystemInformation hook hides 5 processes from standard enumeration
Hardware-assisted memory enumeration reveals 92 processes vs 87 in standard tasklist.exe
PID 4028 maintains active ESTABLISHED connection to 203.0.113.44:443
HANSEN-SAP-01 excluded from SOC monitoring under decommission-backlog exclusion

Lateral Movement:

Pass-the-Hash: NTLM authentication from HANSEN-SAP-01 using harvested hash – no interactive logon ever recorded
COLLBRIDGE-EXCL-003 Conditional Access exception (created 2024-11-14 during post-merger consolidation, never reviewed, no expiry) bypasses MFA requirement
Multiple confirmed NTLM sessions over the dwell period

Exfiltration:

Port 443 outbound from GENIX-PROD-01 and AZURE-RD-ENV-01
TLS SNI presented as graph.microsoft.com; actual destination graph-api-sync.bioanalytics.net
Self-signed certificate impersonating Microsoft – DLP trusts SNI header, never validates certificate
Off-hours batch sessions; svc-rdbridge-admin excluded from off-hours DLP policy as a service account
~7 GB historical R&D data + ~2-3 GB active core IP collection (~10 GB total estimated)

Current Threat Status

Active persistence: Kernel rootkit on HANSEN-SAP-01 with live C2 connection to 203.0.113.44:443.

Active exfiltration channel: A session was underway at time of detection – status unclear.

Suspected scope: ~7 GB historical R&D data already exfiltrated, with ~2-3 GB of active core IP collection transfers in progress (~10 GB total estimated).

Attribution indicators: Indicators match CFCS bulletin CB-2026-0312 – same supply chain pattern observed across other European biotech/pharma victims.

Certificate status: VALID. The supplier (CaliSync GmbH) is fully compromised and does not know it. This is not a certificate revocation problem – it is a compromised vendor problem.

Investigation Progress Tracking

Session Worksheet – Mark Progress as Team Discovers

Inject 1 (T+0): Supply Chain Entry + Azure Authentication Anomaly

Initial Discovery:

Team identifies HANSEN-SAP-01 as active risk despite decommission status
Team recognizes CaliSyncPro process tree anomaly across 3 workstations
Team identifies encoded PowerShell and net.exe domain query as credential harvesting
Team examines COLLBRIDGE-EXCL-003 Conditional Access exception
Incident command established (IC #1) and isolation sequence prioritized

Key Decision: Isolate HANSEN-SAP-01 first (cuts active Azure access) vs isolate calibration workstations first (stops ongoing harvesting but attacker already has credentials)

Correct Priority: HANSEN-SAP-01 – the attacker has current active Azure R&D access from there right now

Inject 2 (T+20): Kernel Rootkit on HANSEN-SAP-01

Forensic Discovery:

Team requests hardware-assisted memory enumeration (not standard disk scan)
Team discovers hidden kernel driver with VALID certificate from compromised vendor
Team identifies DKOM technique hiding 5 processes
Team notes HANSEN-SAP-01 decommission backlog and SOC exclusion
Evidence preservation decision made before isolation

Key Decision: Preserve memory image and kernel driver artifact before any remediation action

Red Flag: Team reimages without capturing memory image – attribution and CFCS coordination value permanently lost

Inject 3 (T+45): Pass-the-Hash via Collaborative Bridge

Lateral Movement Confirmed:

Team identifies absence of interactive logon as Pass-the-Hash indicator
Team traces COLLBRIDGE-EXCL-003 to post-merger consolidation context
Team scopes Azure R&D resources accessed: GENIX-PROD-01 and AZURE-RD-ENV-01
svc-rdbridge-admin credentials revoked (step one of two-step close)
Legacy auth exception COLLBRIDGE-EXCL-003 closed (step two of two-step close)

Key Decision: Revoke credentials and close exception immediately vs wait for full scope picture. Both steps needed – credential revocation alone is insufficient if the exception remains open for other accounts.

Red Flag: Team delays credential revocation – active cloud R&D access continues during the delay

Inject 4 (T+70): ~10 GB Exfiltration Detected

Exfiltration Scope:

Team identifies graph-api-sync.bioanalytics.net as attacker infrastructure
Team notes domain age (4 months), self-signed certificate, privacy proxy registration
Team correlates GenixLibrary sessions with ~10 GB outbound traffic (~7 GB historical R&D + ~2-3 GB active core IP collection)
Team identifies DLP gaps (SNI match, service account exclusion)
Team recognizes that smaller volume does not mean smaller impact – these are targeted, high-value datasets

Key Decision: How to scope the damage assessment – what can be confirmed vs what is still under investigation. CFCS wants indicators. The vendor (CaliSync GmbH) does not know they are compromised.

Red Flag: Team focuses on the relatively small volume and underestimates impact. ~10 GB of targeted core IP is catastrophic.

Inject 5 (T+95): CFCS Coordination and Vendor Notification

Multi-Stakeholder Coordination:

CFCS artifact sharing scope agreed (CB-2026-0312 cross-sector campaign context)
Memory image and kernel driver artifacts prepared for CFCS
Vendor notification decision made – CaliSync GmbH must be told their build pipeline is compromised
IC #2 takes command with SBAR handover (“I have command”)
Workstreams separated (forensics / CFCS coordination / vendor notification)

Key Decision: How to share indicators with CFCS while managing the vendor notification – CaliSync GmbH is still pushing compromised updates to other customers

Red Flag: Team delays vendor notification – every hour of delay means other CaliSync customers remain exposed to the weaponized update

Inject 6 (T+115): Decision and Debrief Pivot

Post-Incident:

Team identifies top 3 remediation priorities with owners
Debrief focuses on systemic gaps (not individual fault)
Legacy system decommissioning governance addressed
Supply chain validation policy for vendor updates addressed (certificate was VALID – what else should have been checked?)
DLP coverage gap on port 443 telemetry addressed
Vendor notification and CFCS coordination outcomes documented

Type Effectiveness Matrix

Winnti (APT/Supply Chain) – Response Effectiveness

Highly Effective

Memory Forensics:

Bypasses DKOM kernel hooks that defeat disk-based scanning
Reveals hidden processes invisible to tasklist.exe
Captures kernel driver artifact before reimaging destroys evidence
Why Effective: Winnti’s kernel rootkit specifically defeats file system enumeration; physical memory is the only path to ground truth

Supply Chain Integrity Verification (beyond certificate validation):

OCSP was checked at deployment and returned VALID – certificate validation alone was insufficient because the supplier is compromised, not the certificate
Code integrity checks (hash verification against vendor-published manifests, reproducible builds, binary diffing against known-good versions) would have detected the weaponized payload
Why Effective: When the vendor itself is compromised, certificate validation passes. You need deeper supply chain verification – binary analysis, behavioral baselines, or independent build verification

Behavioral Analysis (process tree):

calibsvc.exe spawning PowerShell with encoded command is a high-confidence indicator
Pattern consistent across all 3 workstations confirms weaponized update vs workstation anomaly
Why Effective: Supply chain delivery uses process hijack; normal vendor software does not spawn encoded PowerShell

Moderately Effective

Network Traffic Analysis:

Identifies graph-api-sync.bioanalytics.net destination despite SNI spoofing
Domain age, IP ownership, certificate mismatch are detectable with TLS inspection
Why Effective: Exfiltration infrastructure has detectable anomalies – young domain, self-signed cert, privacy proxy registration

Legacy System Governance:

HANSEN-SAP-01 was the persistence anchor; decommissioning it would have closed the attack path
ITSM-29847 was open 18 months with no resolution
Why Effective: Removes the persistence anchor, but doesn’t address the supply chain entry vector

Somewhat Effective

Conditional Access Policy Review:

Removing COLLBRIDGE-EXCL-003 would have stopped all lateral movement sessions
A single policy lifecycle review after the post-merger consolidation would have eliminated this path
Why Effective: Closes the lateral movement path but doesn’t address the initial foothold or exfiltration infrastructure

Ineffective

Signature-Based Antivirus:

Kernel rootkit intercepts file system queries before AV can enumerate hidden files
Standard tasklist.exe returns clean output – rootkit hides own entries
Disk scans on HANSEN-SAP-01 returned clean throughout 90-day dwell period
Why Ineffective: Winnti specifically designed to defeat userland enumeration tools

DLP Alert Tuning (alone):

All three DLP rules had adjacent gaps that together created a blind spot
Patching one rule (e.g. per-day cap) still leaves SNI trust and service account exclusion
Why Ineffective: Defense-in-depth failure – patching a single rule doesn’t address the layered gap

Facilitator Notes

If team isolates workstations before HANSEN-SAP-01:

Remind them: attacker already has the credential hash; workstation isolation stops future harvesting but the active Azure access is still live via HANSEN-SAP-01
Ask: “The attacker is in your Azure R&D environment right now. Which system is providing that access?”

If team rushes to reimage without preserving forensics:

CFCS arrives asking for the kernel driver artifact and memory image – they no longer exist
Attribution to CB-2026-0312 cannot be confirmed; CFCS coordination is blocked

If team delays vendor notification waiting for CFCS approval:

CaliSync GmbH is still pushing compromised updates to other customers every hour the team waits
CFCS coordination and vendor notification are parallel workstreams – one does not gate the other
Ask: “CaliSync GmbH is pushing v4.2.1 to other customers right now. What is your obligation?”

Inject 1 – T+0: Supply Chain Evidence

CFCS Intelligence and SOC Correlation

Starting Information

What the teams have at 13:00:

CFCS intelligence (shared via CISO): Indicators from a European biotech victim match BioGenix infrastructure – SNI-spoofed HTTPS sessions, CaliSyncPro supply chain vector, specific C2 domains
EDR process tree: calibsvc.exe → svchost.exe → powershell.exe -encodedCommand → net.exe user svc-rdbridge-admin /domain on BIOGEN-RD-WS-01, WS-02, WS-03
Azure AD alert: HANSEN-SAP-01 authenticated as svc-rdbridge-admin twice last night; COLLBRIDGE-EXCL-003 exception bypassed Conditional Access
GenixLibrary audit log: 21 sequential sequence file reads between 22:21-23:48 UTC, account svc-rdbridge-admin, no interactive logon

Handout: Distribute Handout A: Supply Chain Evidence

Discussion Prompts

Drive toward the isolation sequence:

“Which system is providing the attacker their active Azure R&D access right now?”
“What evidence needs to be preserved from the calibration workstations before you isolate them?”
“Who owns the decision to isolate HANSEN-SAP-01? It’s in the Collaborative Bridge dependency chain – Katrine and Bent both have a stake.”

Conditional outcomes:

Team isolates HANSEN-SAP-01 first: Active Azure R&D access cut. Collaborative Bridge drops briefly. Calibration workstations isolated next – rootkit artifacts preserved.
Team delays HANSEN-SAP-01 isolation: Attacker maintains active Azure access during delay. Additional GenixLibrary read sessions possible before cutoff.

Success indicators: Incident command established, isolation sequence prioritized (HANSEN-SAP-01 first), evidence preservation owner assigned.

Inject 2 – T+20: Kernel Rootkit

HANSEN-SAP-01 Memory Forensics

What the Security Specialist Reports

“Hardware-assisted memory enumeration of HANSEN-SAP-01 is complete. Standard tasklist.exe shows 87 processes. Physical memory enumeration shows 92. Five hidden PIDs. PID 4028 has an ESTABLISHED connection to 203.0.113.44:443 right now. The kernel driver masking these processes is signed by CaliSync Instrumentation GmbH – and that certificate is VALID. OCSP check confirms it. The signature is legitimate. But the payload is not. And HANSEN-SAP-01 hasn’t had a security patch since August 2024. It’s been excluded from SOC monitoring since the decommission ticket was opened.”

Handout: Distribute Handout B: Rootkit Forensic Artifacts

Discussion Prompts

Drive toward evidence preservation:

“The rootkit is active and network-connected right now. What do you capture before you do anything else?”
“Why did every disk scan return clean? What does that tell you about the detection layer that was missing?”
“The certificate is VALID. OCSP returns good. But the payload is malicious. What does that tell you about the vendor?”

Conditional outcomes:

Team preserves memory image and kernel driver artifact before isolation: CFCS confirms match to CB-2026-0312 campaign. Attribution viable. Artifact sharing strengthens the European response.
Team reimages without preservation: CFCS requests artifacts – they no longer exist. Attribution blocked. BioGenix cannot contribute to the coordinated response.

Success indicators: Memory image captured, kernel driver artifact preserved, CFCS artifact sharing decision made, vendor compromise hypothesis formed.

Inject 3 – T+45: Pass-the-Hash Confirmed

Lateral Movement via Collaborative Bridge

What Network Forensics Confirms

“Correlation complete. svc-rdbridge-admin authenticated from HANSEN-SAP-01 into the Azure R&D environment multiple times over the dwell period. Every session is NTLM. No interactive logon preceding any session – not one. COLLBRIDGE-EXCL-003 is a Conditional Access exception created on 2024-11-14 during the post-merger infrastructure consolidation. Expiry: NONE SET. Last reviewed: NEVER.”

Handout: Distribute Handout C: Lateral Movement Log

Discussion Prompts

Drive toward credential revocation and policy closure (two-step close):

“Multiple sessions, all NTLM, no interactive logon preceding any of them. What does the absence of an interactive logon tell you about how these credentials were used?”
“Which Azure R&D resources were within reach of svc-rdbridge-admin – and does that scope match your current exfiltration estimate?”
“COLLBRIDGE-EXCL-003 was created during post-merger consolidation and never reviewed. What governance process should have caught this?”
“If you revoke the credentials but leave the exception open, what risk remains?”

Surface Katrine’s involvement (optional pressure):

Bent can note that the exception approval record shows a CTO-level authorization
Let Katrine disclose on her own; don’t force it unless the team presses on the policy gap directly

Conditional outcomes:

Team revokes credentials AND closes exception (two-step close): Active cloud R&D access terminated. The lateral movement path is fully closed. Investigation shifts to historical exfiltration scope.
Team revokes credentials but leaves exception open: Path remains exploitable if attacker has additional harvested credentials.
Team delays both: Attacker maintains access during delay; additional GenixLibrary data potentially accessed before cutoff.

Success indicators: svc-rdbridge-admin credentials revoked, COLLBRIDGE-EXCL-003 closed, scope of Azure resources documented.

Inject 4 – T+70: Exfiltration Scope

~10 GB of Targeted IP

What the Traffic Retrospective Shows

“Approximately 10 gigabytes outbound over port 443, destination graph-api-sync.bioanalytics.net. Domain registered 4 months ago, privacy proxy, self-signed certificate impersonating Microsoft. DLP classified all of it as Microsoft telemetry – it trusted the SNI header and never validated the certificate. GenixLibrary audit log shows off-hours batch read sessions since December. About 7 gig of historical R&D data, and in the last few weeks, a shift to active collection – 2 to 3 gig of core enzyme engineering IP. svc-rdbridge-admin was excluded from off-hours movement policy as a service account. This was patient, targeted collection – not a smash-and-grab.”

Handout: Distribute Handout D: Exfiltration Traffic Analysis

Discussion Prompts

Drive toward scoped damage assessment and vendor notification decision:

“~10 GB over months, shifting from historical archives to active core IP. What does that progression tell you about the attacker’s intent?”
“The volume is small. The value is enormous. How do you communicate that to leadership?”
“CaliSync GmbH is still pushing v4.2.1 to other customers. Their certificate is valid. They don’t know they’re compromised. What is your obligation?”
“CFCS wants your indicators to cross-reference with other European victims. What can you share, and what do you need to preserve for your own investigation?”

Phillip Christensen enters:

“I’ve just been briefed. Ten gigabytes doesn’t sound like much. Help me understand why this is serious.”

Present the tension: small volume but catastrophic value. The core fermentation IP is BioGenix’s entire competitive advantage.

Conditional outcomes:

Team provides calibrated damage assessment with confidence qualifiers: CFCS and leadership receive credible update. Vendor notification initiated.
Team underestimates impact based on volume: Leadership deprioritizes response; vendor notification delayed; other CaliSync customers remain exposed.

Success indicators: Exfiltration scope documented with confidence level, vendor notification decision made, CFCS artifact sharing initiated.

Inject 5 – T+95: CFCS Coordination and Vendor Notification

IC Handover and External Coordination

SBAR Handover and Simultaneous Demands

IC Handover: IC #1 has been running the response for 95 minutes. IC #2 arrives and receives an SBAR briefing. IC #2 says: “I have command.” The team must adapt to the new IC while maintaining momentum.

CFCS: They have confirmed this is part of a European campaign. CFCS bulletin CB-2026-0312 cites identical supply chain patterns across multiple European biotech/pharma targets. They want your memory image, kernel driver artifact, and network indicators.

CaliSync GmbH (vendor): Still unaware their build pipeline is compromised. Still pushing v4.2.1 to all customers. Someone needs to notify them – but how, and what do you share?

Discussion Prompts

Drive toward coordinated external response:

“IC #2 just took command. What does the SBAR handover need to cover? What is the most critical context IC #2 needs right now?”
“CFCS wants your artifacts. What specifically do you share? Memory image? Network indicators? Kernel driver sample?”
“CaliSync GmbH doesn’t know they’re compromised. How do you notify them without tipping off the attacker that you’ve detected the intrusion?”
“Other CaliSync customers are still receiving weaponized updates right now. How does that affect your notification urgency?”

If team delays vendor notification:

Every hour of delay means more organizations receive the compromised update
CFCS may be able to facilitate the vendor notification through their European network – but the team needs to ask

Facilitator reference numbers (share if asked):

CFCS bulletin: CB-2026-0312

Conditional outcomes:

Team separates workstreams and executes in parallel: CFCS receives artifacts, vendor notification initiated, IC handover smooth.
Team conflates workstreams or delays vendor notification: Other CaliSync customers remain exposed; CFCS coordination stalls waiting for artifacts the team has not prepared.

Success indicators: IC handover complete with SBAR, CFCS artifact sharing initiated, vendor notification decision made with clear owner.

Inject 6 – T+115: Decision and Debrief Pivot

Hot Wash

Transition Script

“Immediate containment is in place. You have stopped the bleeding. But approximately 10 gigabytes of targeted genomic and fermentation IP – including your core enzyme engineering datasets – may already be in the hands of a foreign intelligence service. And CaliSync GmbH is still shipping compromised software to other customers. The next decisions you make determine whether this becomes a repeat event or a turning point for BioGenix and the broader European biotech sector.”

Debrief Questions

Technical:

The certificate was VALID. OCSP returned good. What detection would have caught this that certificate validation could not?
Which single control failure had the highest leverage point – the decommissioning backlog, the Conditional Access policy gap, or the DLP blind spot?
What would memory forensics as a standard decommission step have changed?

Governance:

Who should own the lifecycle of Conditional Access exceptions created during post-merger consolidation?
What is the right decommissioning governance process for a system that operations won’t release?
How should you validate vendor software updates when the vendor themselves may be compromised?

Strategic:

What does this incident mean for your supply chain security posture going forward?
CFCS confirmed multiple European firms were hit by the same campaign. What does coordinated response look like?
How did the IC handover (SBAR, “I have command”) affect the team’s response? What would you do differently?
The central dilemma was preserve forensic evidence vs. immediate eradication. How did your team navigate that tension?

Success Indicators for Debrief

Team identifies concrete remediation owners and deadlines (not just categories of work)
Debrief focuses on systemic gaps – not individual fault
Team leaves with prioritized action owners across: supply chain validation, legacy system governance, DLP coverage, Conditional Access lifecycle management, vendor relationship security
Team reflects on IC handover effectiveness and CFCS coordination quality

Red flag: Debrief narrows to “Katrine should have expired the exception” – individual fault framing. Redirect toward the governance structure that should have caught it regardless of who created it.

Debrief Framework

What Just Happened

The Attack Chain

Supply chain entry: Winnti delivered via weaponized calibration software update from a fully compromised vendor. The certificate was VALID. OCSP returned good. Everything looked legitimate – but the payload was malicious.
Kernel-level persistence: Signed kernel driver (VALID certificate) loaded on an orphaned SAP server, hiding itself from every standard enumeration tool via DKOM.
Lateral movement: Pass-the-Hash using a harvested credential hash through the Collaborative Bridge. A legacy Conditional Access exception left over from the post-merger consolidation provided the opening.
Targeted exfiltration: ~10 GB of carefully selected IP – ~7 GB historical R&D data plus ~2-3 GB of active core enzyme engineering datasets. Disguised as Microsoft Graph API telemetry via SNI spoofing.

Why Standard Tools Missed It

Disk scans returned clean – the rootkit intercepted the queries via DKOM
DLP trusted the SNI header – certificate validation was never performed on the destination
The exfiltration account was excluded from off-hours policy – it was a service account
The persistence host was excluded from SOC monitoring – it was awaiting decommissioning
The vendor’s code-signing certificate was VALID – standard supply chain checks passed

What Effective Teams Did

Treated the absence of an interactive logon as a meaningful signal, not a reporting gap
Captured memory forensics before isolation or reimaging – preserving evidence for CFCS
Executed the two-step close: credential revocation AND exception closure
Managed the IC handover smoothly with SBAR briefing
Initiated vendor notification urgently – understanding that CaliSync GmbH was still shipping compromised updates
Shared artifacts with CFCS to support the broader European response

What Made This Hard

The central dilemma – preserve forensic evidence vs. immediate eradication – forced teams to make uncomfortable tradeoffs under time pressure. Institutional debt – decommissioning backlogs, post-merger integration shortcuts, compliance exceptions with no expiry – created the conditions the attacker exploited. And the hardest part: the vendor’s certificate was VALID. Standard supply chain validation passed. The sophistication of Winnti is real. But the attack succeeded because of governance failures that predated it.

Resource Links

Continue Your Learning

Scenario Resources

Malmon Profile: Complete Winnti technical details, MITRE ATT&CK mapping, and facilitation guidance
Scenario Card: Full scenario card with role-specific discovery paths and resolution options
Planning Guide: Detailed facilitation guidance, NPC development, and customization options
IM Inject Deck: Printable inject cards for each scenario phase

Facilitation Support

Contemporary Legacy Malmon Guide: Running advanced scenarios with historically grounded threats
Session Preparation: Templates for preparing your next session

Real-World Context

CFCS – Danish Centre for Cyber Security: Danish national cybersecurity authority – the sole authority contact in this scenario
MITRE ATT&CK – T1195.002: Supply Chain Compromise: Compromise Software Supply Chain

Thank You for Playing!

Continue the Adventure

Explore More Expert Scenarios

Litter Drifter: USB-delivered worm targeting defense contractors and government ministries
Noodle RAT: Chinese APT targeting aerospace and investment banking environments
Stuxnet: ICS/SCADA sabotage in critical infrastructure settings

Keep Learning

Players Handbook: Deepen your understanding of Malware & Monsters
IM Handbook: Advanced facilitation techniques and scenario design

Patient adversaries reveal impatient defenses. The dwell time was not a limitation – it was a choice. And the certificate was valid the entire time.