Winnti – BioGenix Solutions

Chinese APT Supply Chain Espionage Under Merger Pressure

Malware & Monsters

2026-03-14

Welcome to Malware & Monsters!

What You’re About to Experience

You’re part of BioGenix Solutions’ incident response team, facing the worst possible timing: a security incident surfacing on the same week as a major acquisition close.

Your Mission

Investigate and contain a sophisticated intrusion while protecting proprietary R&D, managing a live merger negotiation, meeting GDPR obligations to Datatilsynet, and coordinating with Danish intelligence agencies – all simultaneously.

Quick Start for Incident Masters

New to facilitating Malware & Monsters? Start here:

IM Quick Start Guide – Everything you need to run this scenario in one concise document

The Hook

Monday Morning, 07:45 – Overnight Alerts Waiting

Your on-call SOC analyst hands you a stack of alerts that accumulated overnight. They flagged them for escalation at shift change rather than acting alone – none individually looked catastrophic, but the pattern is wrong.

What Landed in Your Queue

EDR Console: Three bioreactor calibration workstations generated unexpected child processes starting at 22:14 last night – shortly after the CaliSyncPro software update completed
Azure AD Alerts: HANSEN-SAP-01, which the ITSM system lists as scheduled for decommissioning, authenticated into your Azure cloud R&D environment twice last night
GenixLibrary Audit Log: Six sequential reads of DNA sequence files between 22:21 and 23:48 – no corresponding user session, no scheduled job
Network Monitoring: Anomalous outbound HTTPS volume from the cloud R&D environment, classified by DLP as Microsoft telemetry

Something is active inside your environment right now. The question is what, and how long it has been there.

Organization Context

BioGenix Solutions

Sector: Precision fermentation and industrial enzyme engineering

Size: 1,800 employees, headquarters in Copenhagen

Current Situation: Active acquisition negotiation – an international buyer has been conducting due diligence for 8 weeks. The deal is expected to close by end of month. The acquisition data room contains 3+ years of proprietary R&D.

Key Systems

GenixLibrary – proprietary genomic sequence and fermentation IP repository, hosted in Azure cloud R&D environment
Collaborative Bridge – VPN integration established during merger negotiations, connecting on-premise systems to the Azure R&D environment
Hansen-Core SAP NetWeaver – legacy ERP instance (HANSEN-SAP-01), scheduled for decommissioning since September 2024, still network-connected

Why This Matters Now

If the R&D portfolio has been compromised, the acquisition counterparty is negotiating with incomplete information. And if proprietary genomic sequences are in foreign hands, the competitive damage is permanent.

Initial Symptoms

What You’re Working With

Bioreactor Workstation Alerts

Three workstations (BIOGEN-RD-WS-01, WS-02, WS-03) all show the same pattern: the calibration service calibsvc.exe spawned a PowerShell process with an encoded command, which then ran net.exe user svc-rdbridge-admin /domain.

The CaliSyncPro update v4.2.1 completed at 22:13 last night. The process anomalies started at 22:14.

HANSEN-SAP-01 Authentication Activity

HANSEN-SAP-01 is an on-premise SAP NetWeaver server that should be offline – it was marked for decommissioning 18 months ago. Last night it authenticated as svc-rdbridge-admin into your Azure AD environment, bypassing Conditional Access via a legacy exception called COLLBRIDGE-EXCL-003.

GenixLibrary Off-Hours Access

Six sequential batch reads of GenixLibrary sequence files, originating from the Azure cloud environment, between 22:21 and 23:48. The account used: svc-rdbridge-admin. No interactive logon preceded any of these sessions.

The DLP Miss

847 gigabytes of outbound HTTPS traffic over the past 90 days, all classified by your DLP system as Microsoft Graph API telemetry. The destination resolves to graph-api-sync.bioanalytics.net – a domain registered 4 months ago via a privacy proxy.

NPCs: Your Key Contacts

People Who Need Your Help

Phillip Christensen – CEO

What They Care About: Closing the acquisition on schedule, protecting shareholder value, preserving BioGenix’s market position

Current State: Not yet fully briefed – knows there are “some security alerts” but doesn’t know the scope

Helpful For: Authorization for aggressive containment actions, acquisition counterparty communication, board-level decisions

Potential Barrier: May resist actions that could surface to the acquisition counterparty and complicate the deal

Katrine Fønsmark – CTO

What They Care About: R&D pipeline integrity, system availability, the security of GenixLibrary

Current State: Alarmed – she knows GenixLibrary is the core acquisition asset and any integrity question is a deal-risk

Helpful For: Technical architecture, access controls, understanding what GenixLibrary data was accessible, authorizing forensic work on cloud R&D systems

Potential Barrier: Will want forensic work to be thorough but fast, which creates tension with evidence preservation

Bent Sejrø – CISO

What They Care About: Containment, evidence preservation, regulatory compliance, counterintelligence coordination

Current State: Running the incident response – has escalated to you for structured team decision-making

Helpful For: Forensic strategy, GDPR 72-hour clock, CFCS coordination, what ITSM records show about HANSEN-SAP-01

Potential Barrier: Cautious by nature; may slow decisions trying to verify before acting

Dr. Ida Woetmann – VP Research & Development

What They Care About: GenixLibrary data integrity, her research team’s work, understanding what was accessed and whether results are still valid

Current State: Deeply concerned – she assembled the acquisition data room packages personally

Helpful For: What data is in GenixLibrary, which datasets were included in the acquisition package, what an adversary would want

Potential Barrier: May become emotionally focused on one specific dataset or research program and narrow the team’s scope

NPC Hidden Agendas

Character Secrets & Development Arcs

Phillip Christensen – CEO

Hidden Agenda: The acquisition timeline is under board pressure – a deal delay costs BioGenix significant bridge financing. Phillip will resist anything that requires disclosure to the counterparty.

Secret Fear: That the exfiltration scope, once disclosed, collapses the valuation or kills the deal entirely.

Character Arc:

Initial: “Handle this quietly. We disclose when we have the full picture.”
Mid-Game: Confronts the reality that incomplete disclosure is worse than proactive disclosure
Resolution: Authorizes calibrated disclosure statement to counterparty – positions it as transparency that protects the deal

Roleplay Notes: Phillip is not malicious – he’s protecting his company. His arc is about understanding that opacity is a greater deal risk than honest, qualified disclosure.

Katrine Fønsmark – CTO

Hidden Agenda: She approved the COLLBRIDGE-EXCL-003 Conditional Access exception during the merger integration. She knows this, and she’s aware it’s the policy gap that let the attacker in.

Secret Fear: That the forensic investigation will surface her name on that exception approval.

Character Arc:

Initial: Pushes hard on containment, volunteers forensic resources
Mid-Game: Becomes evasive when the authentication policy gap is identified
Resolution: Discloses her role in the exception – frames it as a merger integration decision that needed lifecycle review

Roleplay Notes: Katrine is an asset to the response – her obstruction only appears on one specific topic. Push her gently if the team notices inconsistency in her cooperation.

Bent Sejrø – CISO

Hidden Agenda: He tried to get HANSEN-SAP-01 decommissioned six months ago. The ITSM ticket is still open. Facilities and Finance blocked it for budget reasons.

Secret Frustration: He has documentation of the risk – and he’s furious it went unaddressed.

Character Arc:

Initial: Methodical, process-oriented, cautious
Mid-Game: Reveals the ITSM history – ITSM-29847 open since 2024-08-15, blocked twice
Resolution: Uses the incident to make the case for governance reform on legacy system decommissioning backlog

Roleplay Notes: Bent is a sympathetic figure. His caution and frustration are both justified. He becomes more decisive as the team validates his prior risk assessments.

Dr. Ida Woetmann – VP R&D

Hidden Agenda: She suspects the attacker specifically targeted the acquisition data room packages – GenixLib-Acquisition-Package-v1 and v2 – because those datasets contain the full competitive picture, not just individual research files.

Secret Knowledge: She knows which competitor nations would benefit most from this specific data – she’s been tracking parallel research programs at Chinese state-backed institutions.

Character Arc:

Initial: Focused narrowly on her active research programs
Mid-Game: Raises the acquisition package concern – explains what those datasets contain
Resolution: Provides intelligence context that supports the CFCS and PET coordination

Roleplay Notes: Ida’s technical knowledge is a pivot point for the counterintelligence dimension. She can help the team understand why this incident is more than corporate espionage.

The Complete Technical Picture

What’s Really Happening – Winnti Supply Chain Espionage

Attack Timeline

2025-11-20: Domain graph-api-sync.bioanalytics.net registered via privacy proxy.

2025-11-14: Code-signing certificate for CaliSync Instrumentation GmbH (SN 4A9F02B1) is revoked by the issuing CA.

2025-12-04 (estimated): CaliSyncPro update v4.2.1 compiled with Winnti dropper embedded.

2025-12-04: CaliSyncPro v4.2.1 delivered via vendor update channel; trusted vendor exception policy skips OCSP/CRL check at deployment. Winnti dropper executes on three bioreactor workstations, harvests NTLM credential hash for svc-rdbridge-admin from memory via encoded PowerShell command.

2025-12-10 (first session): HANSEN-SAP-01 uses harvested svc-rdbridge-admin hash (Pass-the-Hash via NTLM) to authenticate through the Collaborative Bridge into Azure AD, bypassing Conditional Access via COLLBRIDGE-EXCL-003. First GenixLibrary batch read session: 19 files, Fermentation-Seq-Archive-2023.

2025-12-10 to 2026-03-09: 43 additional off-hours batch read sessions. 847 GB exfiltrated via port 443 to graph-api-sync.bioanalytics.net, TLS SNI spoofed as graph.microsoft.com.

2026-03-09 22:14: Process anomaly on calibration workstations triggers EDR alert (44th session underway).

2026-03-10 07:45 (now): On-call analyst escalates overnight alert batch at shift change.

Technical Mechanisms

Supply Chain Entry:

Winnti delivered via weaponized CaliSyncPro v4.2.1 update from CaliSync Instrumentation GmbH
Vendor trust exception bypassed certificate revocation check
Dropper executed as child process of calibsvc.exe on 3 bioreactor workstations
Encoded PowerShell harvested svc-rdbridge-admin NTLM hash from memory

Kernel-Level Persistence on HANSEN-SAP-01:

Signed kernel driver (revoked certificate 4A9F02B1) loaded at ring-0
Direct Kernel Object Manipulation (DKOM) via NtQuerySystemInformation hook hides 5 processes from standard enumeration
Hardware-assisted memory enumeration reveals 92 processes vs 87 in standard tasklist.exe
PID 4028 maintains active ESTABLISHED connection to 203.0.113.44:443
HANSEN-SAP-01 excluded from SOC monitoring under decommission-backlog exclusion

Lateral Movement:

Pass-the-Hash: NTLM authentication from HANSEN-SAP-01 using harvested hash – no interactive logon ever recorded
COLLBRIDGE-EXCL-003 Conditional Access exception (created 2024-11-14, never reviewed, no expiry) bypasses MFA requirement
11 confirmed NTLM sessions over 90 days, roughly weekly cadence

Exfiltration:

Port 443 outbound from GENIX-PROD-01 and AZURE-RD-ENV-01
TLS SNI presented as graph.microsoft.com; actual destination graph-api-sync.bioanalytics.net
Self-signed certificate impersonating Microsoft – DLP trusts SNI header, never validates certificate
44 off-hours batch sessions; svc-rdbridge-admin excluded from off-hours DLP policy as a service account
Per-day volume cap (50 GB) never breached; sessions spread across 44 nights

Current Threat Status

Active persistence: Kernel rootkit on HANSEN-SAP-01 with live C2 connection to 203.0.113.44:443.

Active exfiltration channel: 44th session was underway at time of detection – status of final session unclear.

Suspected scope: All 44 GenixLibrary dataset archives accessed, including GenixLib-Acquisition-Package-v1 and v2.

Attribution indicators: Kernel driver certificate matches CFCS bulletin CB-2026-0312 citing identical revocation date across 3 other Danish biotech/pharma targets.

Investigation Progress Tracking

Session Worksheet – Mark Progress as Team Discovers

Inject 1 (T+0): Supply Chain Entry + Azure Authentication Anomaly

Initial Discovery:

Team identifies HANSEN-SAP-01 as active risk despite decommission status
Team recognizes CaliSyncPro process tree anomaly across 3 workstations
Team identifies encoded PowerShell and net.exe domain query as credential harvesting
Team examines COLLBRIDGE-EXCL-003 Conditional Access exception
Incident command established and isolation sequence prioritized

Key Decision: Isolate HANSEN-SAP-01 first (cuts active Azure access) vs isolate calibration workstations first (stops ongoing harvesting but attacker already has credentials)

Correct Priority: HANSEN-SAP-01 – the attacker has current active Azure R&D access from there right now

Inject 2 (T+20): Kernel Rootkit on HANSEN-SAP-01

Forensic Discovery:

Team requests hardware-assisted memory enumeration (not standard disk scan)
Team discovers hidden kernel driver with revoked certificate
Team identifies DKOM technique hiding 5 processes
Team notes HANSEN-SAP-01 decommission backlog and 18-month SOC exclusion
Evidence preservation decision made before isolation

Key Decision: Preserve memory image and kernel driver artifact before any remediation action

Red Flag: Team reimages without capturing memory image – attribution and counterintelligence value permanently lost

Inject 3 (T+45): Pass-the-Hash via Collaborative Bridge

Lateral Movement Confirmed:

Team identifies absence of interactive logon as Pass-the-Hash indicator
Team traces COLLBRIDGE-EXCL-003 to merger integration context
Team scopes Azure R&D resources accessed: GENIX-PROD-01 and AZURE-RD-ENV-01
svc-rdbridge-admin credentials revoked
Legacy auth exception COLLBRIDGE-EXCL-003 closed

Key Decision: Revoke credentials and close exception immediately vs wait for full scope picture

Red Flag: Team delays credential revocation – active cloud R&D access continues during the delay

Inject 4 (T+70): 847 GB Exfiltration Detected

Exfiltration Scope:

Team identifies graph-api-sync.bioanalytics.net as attacker infrastructure
Team notes domain age (4 months), self-signed certificate, privacy proxy registration
Team correlates 44 GenixLibrary sessions with 847 GB outbound traffic
Team identifies three simultaneous DLP gaps (SNI match, per-day cap, service account exclusion)
Team identifies acquisition data room packages in exfiltration scope

Key Decision: Scope statement to merger counterparty – what can be confirmed vs what is still under investigation

Red Flag: Team overstates certainty; later scope revisions damage credibility with regulators and counterparty

Inject 5 (T+95): Regulatory and Intelligence Authorities

Multi-Stakeholder Coordination:

Datatilsynet notification owner assigned (GDPR 72-hour clock)
CFCS coordination scope agreed (CB-2026-0312 cross-sector campaign context)
PET counterintelligence call scoped
Merger advisor briefing position agreed
Workstreams separated (regulatory / counterintelligence / commercial)

Key Decision: How to share indicators with CFCS without compromising merger timeline or regulatory obligations

Red Flag: Team allows CFCS coordination to delay GDPR notification – they are separate obligations

Inject 6 (T+115): Decision and Debrief Pivot

Post-Incident:

Team identifies top 3 remediation priorities with owners
Debrief focuses on systemic gaps (not individual fault)
Legacy system decommissioning governance addressed
Certificate validation policy for vendor updates addressed
DLP coverage gap on port 443 telemetry addressed
Merger governance decision documented

Type Effectiveness Matrix

Winnti (APT/Supply Chain) – Response Effectiveness

Highly Effective

Memory Forensics:

Bypasses DKOM kernel hooks that defeat disk-based scanning
Reveals hidden processes invisible to tasklist.exe
Captures kernel driver artifact before reimaging destroys evidence
Why Effective: Winnti’s kernel rootkit specifically defeats file system enumeration; physical memory is the only path to ground truth

Certificate Validation Enforcement:

Live OCSP check at update deployment time would have blocked v4.2.1 installation
Certificate was revoked 4 months before the update was deployed
Why Effective: The entire supply chain entry depended on the trusted vendor exception skipping certificate validation

Behavioral Analysis (process tree):

calibsvc.exe spawning PowerShell with encoded command is a high-confidence indicator
Pattern consistent across all 3 workstations confirms weaponized update vs workstation anomaly
Why Effective: Supply chain delivery uses process hijack; normal vendor software does not spawn encoded PowerShell

Moderately Effective

Network Traffic Analysis:

Identifies graph-api-sync.bioanalytics.net destination despite SNI spoofing
Domain age, IP ownership, certificate mismatch are detectable with TLS inspection
Why Effective: Exfiltration infrastructure has detectable anomalies – young domain, self-signed cert, privacy proxy registration

Legacy System Governance:

HANSEN-SAP-01 was the persistence anchor; decommissioning it would have closed the attack path
ITSM-29847 was open 18 months with no resolution
Why Effective: Removes the persistence anchor, but doesn’t address the supply chain entry vector

Somewhat Effective

Conditional Access Policy Review:

Removing COLLBRIDGE-EXCL-003 would have stopped all 11 lateral movement sessions
A single policy lifecycle review at merger integration close would have eliminated this path
Why Effective: Closes the lateral movement path but doesn’t address the initial foothold or exfiltration infrastructure

Ineffective

Signature-Based Antivirus:

Kernel rootkit intercepts file system queries before AV can enumerate hidden files
Standard tasklist.exe returns clean output – rootkit hides own entries
Disk scans on HANSEN-SAP-01 returned clean throughout 90-day dwell period
Why Ineffective: Winnti specifically designed to defeat userland enumeration tools

DLP Alert Tuning (alone):

All three DLP rules had adjacent gaps that together created a blind spot
Patching one rule (e.g. per-day cap) still leaves SNI trust and service account exclusion
Why Ineffective: Defense-in-depth failure – patching a single rule doesn’t address the layered gap

Facilitator Notes

If team isolates workstations before HANSEN-SAP-01:

Remind them: attacker already has the credential hash; workstation isolation stops future harvesting but the active Azure access is still live via HANSEN-SAP-01
Ask: “The attacker is in your Azure R&D environment right now. Which system is providing that access?”

If team rushes to reimage without preserving forensics:

CFCS arrives asking for the kernel driver artifact and memory image – they no longer exist
Attribution to CB-2026-0312 cannot be confirmed; counterintelligence coordination is blocked

If team conflates regulatory and counterintelligence workstreams:

Datatilsynet has a 72-hour notification clock – it does not pause for CFCS coordination
CFCS coordination is about indicators and attribution – it does not require waiting for GDPR notification to complete first

Inject 1 – T+0: Supply Chain Evidence

Calibration Software Alert and Authentication Anomalies

Starting Information

What the team receives at 07:45:

EDR process tree: calibsvc.exe → svchost.exe → powershell.exe -encodedCommand → net.exe user svc-rdbridge-admin /domain on BIOGEN-RD-WS-01, WS-02, WS-03
Azure AD alert: HANSEN-SAP-01 authenticated as svc-rdbridge-admin twice last night; COLLBRIDGE-EXCL-003 exception bypassed Conditional Access
GenixLibrary audit log: 21 sequential sequence file reads between 22:21-23:48 UTC, account svc-rdbridge-admin, no interactive logon

Handout: Distribute Handout A: Supply Chain Evidence

Discussion Prompts

Drive toward the isolation sequence:

“Which system is providing the attacker their active Azure R&D access right now?”
“What evidence needs to be preserved from the calibration workstations before you isolate them?”
“Who owns the decision to isolate HANSEN-SAP-01? It’s in the Collaborative Bridge dependency chain – Katrine and Bent both have a stake.”

Conditional outcomes:

Team isolates HANSEN-SAP-01 first: Active Azure R&D access cut. Collaborative Bridge drops briefly. Calibration workstations isolated next – rootkit artifacts preserved.
Team delays HANSEN-SAP-01 isolation: Attacker maintains active Azure access during delay. Additional GenixLibrary read sessions possible before cutoff.

Success indicators: Incident command established, isolation sequence prioritized (HANSEN-SAP-01 first), evidence preservation owner assigned.

Inject 2 – T+20: Kernel Rootkit

HANSEN-SAP-01 Memory Forensics

What the Security Specialist Reports

“Hardware-assisted memory enumeration of HANSEN-SAP-01 is complete. Standard tasklist.exe shows 87 processes. Physical memory enumeration shows 92. Five hidden PIDs. PID 4028 has an ESTABLISHED connection to 203.0.113.44:443 right now. The kernel driver masking these processes is signed by CaliSync Instrumentation GmbH – but that certificate was revoked on 2025-11-14. And HANSEN-SAP-01 hasn’t had a security patch since August 2024. It’s been excluded from SOC monitoring since the decommission ticket was opened.”

Handout: Distribute Handout B: Rootkit Forensic Artifacts

Discussion Prompts

Drive toward evidence preservation:

“The rootkit is active and network-connected right now. What do you capture before you do anything else?”
“Why did every disk scan return clean for 18 months? What does that tell you about the detection layer that was missing?”
“The certificate revocation date is 2025-11-14 – and the CaliSyncPro update deployed using the same certificate. What does that sequence tell you?”

Conditional outcomes:

Team preserves memory image and kernel driver artifact before isolation: CFCS confirms match to CB-2026-0312 campaign. Attribution viable. Counterintelligence handoff possible.
Team reimages without preservation: CFCS requests artifacts – they no longer exist. Attribution blocked.

Success indicators: Memory image captured, kernel driver artifact preserved, CFCS notification decision made, certificate revocation investigation initiated.

Inject 3 – T+45: Pass-the-Hash Confirmed

Lateral Movement via Collaborative Bridge

What Network Forensics Confirms

“Correlation complete. svc-rdbridge-admin authenticated from HANSEN-SAP-01 into the Azure R&D environment 11 times over 90 days. Every session is NTLM. No interactive logon preceding any session – not one. COLLBRIDGE-EXCL-003 is a Conditional Access exception created on 2024-11-14 during the SAP migration window. Expiry: NONE SET. Last reviewed: NEVER.”

Handout: Distribute Handout C: Lateral Movement Log

Discussion Prompts

Drive toward credential revocation and policy closure:

“11 sessions, all NTLM, no interactive logon preceding any of them. What does the absence of an interactive logon tell you about how these credentials were used?”
“Which Azure R&D resources were within reach of svc-rdbridge-admin – and does that scope match your current exfiltration estimate?”
“COLLBRIDGE-EXCL-003 was created during merger integration and never reviewed. What governance process should have caught this?”

Surface Katrine’s involvement (optional pressure):

Bent can note that the exception approval record shows a CTO-level authorization
Let Katrine disclose on her own; don’t force it unless the team presses on the policy gap directly

Conditional outcomes:

Team revokes credentials and closes exception immediately: Active cloud R&D access terminated. Investigation shifts to historical exfiltration scope.
Team delays: Attacker maintains access during delay; additional GenixLibrary data potentially accessed before cutoff.

Success indicators: svc-rdbridge-admin credentials revoked, COLLBRIDGE-EXCL-003 closed, scope of Azure resources documented.

Inject 4 – T+70: Exfiltration Scope

847 GB Over 90 Days

What the 90-Day Traffic Retrospective Shows

“847 gigabytes outbound over port 443, destination graph-api-sync.bioanalytics.net. Domain registered 4 months ago, privacy proxy, self-signed certificate impersonating Microsoft. DLP classified all of it as Microsoft telemetry – it trusted the SNI header and never validated the certificate. GenixLibrary audit log shows 44 off-hours batch read sessions since December 10. svc-rdbridge-admin was excluded from off-hours movement policy as a service account. This was methodical.”

Handout: Distribute Handout D: Exfiltration Traffic Analysis

Discussion Prompts

Drive toward scoped disclosure decisions:

“847 GB and 44 sessions over 90 days. What does that cadence tell you about the attacker’s intent – smash-and-grab, or patient collection?”
“The acquisition data room packages are in the exfiltration scope. Your merger advisor calls in 2 hours. What can you confirm, and what are you still investigating?”
“Three DLP rules all had adjacent gaps simultaneously. Is that coincidence, or does it tell you something about the attacker’s knowledge of your environment?”

Phillip Christensen enters:

“I’ve just been briefed. I need to understand what we can tell the counterparty without blowing the deal. What’s your recommendation?”

Present the tension: proactive calibrated disclosure vs waiting for full certainty vs saying nothing.

Conditional outcomes:

Team provides calibrated scope statement with confidence qualifiers: Counterparty and Datatilsynet receive credible update. Trust maintained.
Team overstates certainty: Later scope revisions undermine credibility with all parties.

Success indicators: Exfiltration scope documented with confidence level, GDPR notification draft initiated, merger briefing position agreed.

Inject 5 – T+95: Regulatory and Intelligence Coordination

Three Calls at Once

Simultaneous Inbound

Datatilsynet: GDPR notification status requested. Reference DT-2026-0847. 72-hour clock is running.

CFCS: They have seen this exact supply chain pattern at 3 other Danish biotech and pharma firms. CFCS bulletin CB-2026-0312 cites identical kernel driver certificate revocation date. They want your indicators.

PET: Counterintelligence inquiry. A foreign state actor is collecting Danish genomic and fermentation IP. They want a coordination call.

Merger advisor: Calls next. Counterparty has heard there is “a security matter” from a contact at one of the other affected firms.

Discussion Prompts

Force workstream separation:

“Datatilsynet has a 72-hour clock. CFCS coordination does not pause that clock. Who owns the Datatilsynet notification, and what does that person need from the rest of the team?”
“What can you share with CFCS that doesn’t compromise your merger position or pre-empt your regulatory notification?”
“The merger advisor is calling. What is your prepared position, and who speaks?”

If team conflates workstreams:

Datatilsynet deadline pressure spikes
CFCS coordination gets contaminated with merger confidentiality concerns
Merger advisor doesn’t get a clear answer

IM reference numbers (share if asked):

Datatilsynet: DT-2026-0847
CFCS bulletin: CB-2026-0312

Conditional outcomes:

Team separates workstreams: All three stakeholder groups receive calibrated, appropriate communication.
Team conflates workstreams: One obligation blocks another; credibility with at least one party erodes.

Success indicators: GDPR notification owner assigned, CFCS coordination scope agreed, merger advisor briefing position confirmed.

Inject 6 – T+115: Decision and Debrief Pivot

Hot Wash

Transition Script

“Immediate containment is in place. You have stopped the bleeding. But 847 gigabytes of genomic R&D may already be in the hands of a foreign intelligence service. The next decisions you make determine whether this becomes a repeat event or a turning point for BioGenix.”

Debrief Questions

Technical:

Which single control failure had the highest leverage point – the certificate validation exception, the decommissioning backlog, or the Conditional Access policy gap?
What would memory forensics as a standard decommission step have changed?
How did three simultaneous DLP gaps create a blind spot that no single fix would have closed?

Governance:

Who should own the lifecycle of Conditional Access exceptions created during integration projects?
What is the right decommissioning governance process for a system that operations won’t release?
How do you write a merger data room policy that accounts for the security of the integration infrastructure, not just the data?

Strategic:

What does this incident mean for your supply chain security posture going forward?
If CFCS confirms 3 other Danish firms were hit by the same campaign, what does coordinated disclosure between affected organizations look like?

Success Indicators for Debrief

Team identifies concrete remediation owners and deadlines (not just categories of work)
Debrief focuses on systemic gaps – not individual fault
Team leaves with prioritized action owners across: supply chain validation, legacy system governance, DLP coverage, Conditional Access lifecycle management

Red flag: Debrief narrows to “Katrine should have expired the exception” – individual fault framing. Redirect toward the governance structure that should have caught it regardless of who created it.

Debrief Framework

What Just Happened

The Attack Chain

Supply chain entry: Winnti delivered via weaponized calibration software update. Vendor trust exception skipped the certificate revocation check that would have blocked it.
Kernel-level persistence: Signed kernel driver (revoked certificate) loaded on an orphaned SAP server, hiding itself from every standard enumeration tool for 18 months.
Lateral movement: Pass-the-Hash using a harvested credential hash – no password ever needed. A legacy Conditional Access exception left over from the merger integration provided the opening.
Patient exfiltration: 847 GB over 90 days, disguised as Microsoft telemetry. Three DLP rules, three adjacent gaps, zero alerts.

Why Standard Tools Missed It

Disk scans returned clean – the rootkit intercepted the queries
DLP trusted the SNI header – certificate validation was never performed
The exfiltration account was excluded from off-hours policy – it was a service account
The persistence host was excluded from SOC monitoring – it was awaiting decommissioning

What Effective Teams Did

Treated the absence of an interactive logon as a meaningful signal, not a reporting gap
Captured memory forensics before isolation or reimaging
Separated the regulatory, counterintelligence, and commercial response workstreams under distinct owners
Provided calibrated scope statements with explicit confidence qualifiers rather than waiting for certainty that may never arrive

What Made This Hard

Institutional pressure – decommissioning backlogs, merger integration shortcuts, compliance exceptions with no expiry – created the conditions the attacker exploited. The technical sophistication of Winnti is real. But the attack succeeded because of governance failures that predated it by 18 months.

Resource Links

Continue Your Learning

Scenario Resources

Malmon Profile: Complete Winnti technical details, MITRE ATT&CK mapping, and facilitation guidance
Scenario Card: Full scenario card with role-specific discovery paths and resolution options
Planning Guide: Detailed facilitation guidance, NPC development, and customization options
IM Inject Deck: Printable inject cards for each scenario phase

Facilitation Support

Contemporary Legacy Malmon Guide: Running advanced scenarios with historically grounded threats
Session Preparation: Templates for preparing your next session

Real-World Context

CFCS – Danish Centre for Cyber Security: Danish national cybersecurity authority
Datatilsynet – Danish Data Protection Agency: GDPR supervisory authority for Denmark
MITRE ATT&CK – T1195.002: Supply Chain Compromise: Compromise Software Supply Chain

Thank You for Playing!

Continue the Adventure

Explore More Expert Scenarios

Litter Drifter: USB-delivered worm targeting defense contractors and government ministries
Noodle RAT: Chinese APT targeting aerospace and investment banking environments
Stuxnet: ICS/SCADA sabotage in critical infrastructure settings

Keep Learning

Players Handbook: Deepen your understanding of Malware & Monsters
IM Handbook: Advanced facilitation techniques and scenario design

Patient adversaries reveal impatient defenses. The 90-day dwell time was not a limitation – it was a choice.