Phishing-as-a-Service & Mobile Trojans: How Recent Cyber Incidents Drive NIS2 & DORA Compliance in 2026

Introduction: The Evolving Cyber Threat Landscape in 2026

As organizations navigate an increasingly digital world, cyber threats have evolved from isolated attacks to sophisticated, commoditized services that lower the barrier to entry for malicious actors. Two recent incidents—the Starkiller phishing-as-a-service platform and the Massiv Android banking trojan—highlight this shift, demonstrating advanced techniques like multi-factor authentication (MFA) bypass and mobile device takeover. These threats not only jeopardize data security but also expose organizations to significant regulatory risks under frameworks like the NIS2 Directive and the Digital Operational Resilience Act (DORA). With NIS2 requiring member state transposition by 17 October 2024 and DORA applying from 17 January 2025, businesses must act now to strengthen their defenses. This article analyzes these incidents, links them to regulatory mandates, and provides step-by-step mitigation strategies to ensure compliance and resilience in 2026 and beyond.

Overview of Recent Cybersecurity Incidents: Starkiller and Massiv

In 2026, cybersecurity researchers identified several high-profile threats that exemplify the sophistication of modern cybercrime. Understanding these incidents is crucial for developing effective defense strategies.

Starkiller: Phishing-as-a-Service with MFA Bypass

The Starkiller platform, operated by the threat group Jinkusu, represents a significant evolution in phishing tools. Unlike traditional kits, Starkiller uses a Docker container running a headless Chrome browser to dynamically load real login pages from legitimate sites like Apple, Facebook, Google, and Microsoft. It acts as a man-in-the-middle reverse proxy, forwarding user inputs—including usernames, passwords, and MFA codes—to the legitimate site and returning responses. This technique effectively bypasses MFA protections, a critical security layer for many organizations.

Key features of Starkiller include:

• Real-time session monitoring and keylogging
• Cookie and session token theft
• Geo-tracking and automated Telegram alerts for new credentials
• Campaign analytics dashboards

By automating technical complexities like server configuration and domain management, Starkiller lowers the barrier to entry for novice cybercriminals while evading traditional detection methods such as domain blocklisting. This reflects a broader trend toward commoditized, enterprise-style cybercrime infrastructure, making advanced attacks more accessible and widespread.

Massiv Android Trojan: Banking Malware via Social Engineering

Another critical threat in 2026 is the Massiv Android trojan, which masquerades as legitimate IPTV (Internet Protocol Television) applications to deceive users. According to cybersecurity researchers, this malware is designed to facilitate device takeover (DTO) attacks, specifically targeting mobile banking users for financial theft. By exploiting the popularity of online TV apps, threat actors use sophisticated social engineering to bypass user vigilance.

The Massiv trojan highlights:

• Evolving mobile malware tactics that target financial transactions
• The risks of compromised mobile devices in the banking ecosystem
• The need for robust mobile security protocols beyond traditional endpoint protection

These incidents underscore how threat actors are adapting to exploit trusted tools and user behaviors, necessitating a proactive approach to cybersecurity compliance.

Linking Incidents to NIS2 and DORA Compliance Requirements

The Starkiller and Massiv incidents directly relate to key mandates under the NIS2 Directive (Directive (EU) 2022/2555) and the Digital Operational Resilience Act (DORA, Regulation (EU) 2022/2554). Organizations in sectors like finance, healthcare, and digital infrastructure must align their cybersecurity practices with these regulations to avoid penalties and ensure operational resilience.

NIS2 Directive: Incident Reporting and Risk Management

NIS2, which requires member state transposition by 17 October 2024, applies to "essential" and "important" entities across 18 sectors, including energy, transport, health, and digital infrastructure. The directive mandates:

• Incident Reporting: Organizations must report significant incidents within 24 hours for an early warning and 72 hours for a detailed notification. The Starkiller platform's ability to bypass MFA and steal credentials could trigger such reporting obligations if it leads to a data breach or system compromise.
• Risk Management Measures: Entities must implement appropriate technical and organizational measures to manage cybersecurity risks. This includes supply chain security, which is relevant given Starkiller's use of Docker containers and legitimate site proxies.
• Management Accountability: Senior management must oversee cybersecurity risk management, with penalties of up to EUR 10 million or 2% of global turnover for non-compliance.

For example, if an organization falls victim to a Starkiller phishing campaign that results in unauthorized access to sensitive data, it must have processes in place to detect, report, and mitigate the incident per NIS2 requirements.

DORA: Operational Resilience for Financial Entities

DORA applies from 17 January 2025 to financial entities such as banks, insurers, and payment institutions. Its key requirements include:

• ICT Risk Management Framework: Entities must establish a comprehensive framework to manage ICT risks, including threats like the Massiv trojan that target mobile banking.
• Digital Operational Resilience Testing: Regular testing, including threat-led penetration testing, is required to ensure systems can withstand incidents. This is crucial for identifying vulnerabilities that could be exploited by advanced malware.
• Third-Party ICT Risk Management: Organizations must assess and monitor risks from external providers, such as cloud services or software vendors, which could be compromised in attacks like the SmartLoader campaign using a trojanized Oura MCP server.

The Massiv trojan's focus on mobile banking aligns with DORA's emphasis on protecting financial transactions and ensuring continuity of services. Failure to implement adequate mobile security measures could result in non-compliance with DORA's resilience mandates.

Step-by-Step Mitigation Strategies for 2026 Compliance

To address threats like Starkiller and Massiv while meeting NIS2 and DORA requirements, organizations should adopt a multi-layered approach to cybersecurity. Here are actionable steps to enhance protection and compliance.

1. Strengthen Authentication and Access Controls

Given Starkiller's ability to bypass MFA, organizations must go beyond traditional methods:

• Implement phishing-resistant MFA, such as FIDO2 security keys or biometric authentication, which are less susceptible to man-in-the-middle attacks.
• Regularly update authentication protocols and educate employees on recognizing sophisticated phishing attempts.
• Use tools like CrowdStrike for endpoint protection to detect and respond to credential theft in real time.

2. Enhance Mobile Security Protocols

To counter mobile threats like Massiv:

• Deploy mobile device management (MDM) solutions to enforce security policies on employee devices, especially those used for banking or accessing sensitive data.
• Conduct regular security awareness training focused on mobile risks, such as downloading apps from untrusted sources.
• Implement network security measures with vendors like Palo Alto Networks to monitor and block malicious traffic from compromised devices.

3. Implement Robust Incident Response Plans

Align with NIS2 and DORA reporting requirements:

• Develop and test incident response plans that include procedures for detecting, containing, and reporting incidents within mandated timelines (e.g., 24/72 hours for NIS2).
• Integrate threat intelligence feeds to stay updated on emerging threats like Starkiller or Massiv.
• Conduct regular drills to ensure teams are prepared to handle sophisticated attacks.

4. Adopt a Risk-Based Approach to Compliance

Leverage frameworks like the NIST Cybersecurity Framework (CSF) 2.0 (published 26 February 2024) to guide risk management:

• Use the six core functions—Govern, Identify, Protect, Detect, Respond, Recover—to assess and improve cybersecurity posture.
• Align controls with ISO/IEC 27001:2022 standards, which include 93 controls across four themes (Organizational, People, Physical, Technological).
• Regularly review and update risk assessments to account for evolving threats, ensuring compliance with NIS2's risk management mandates.

How AIGovHub Automates Threat Monitoring and Compliance Reporting

Managing cybersecurity compliance across frameworks like NIS2 and DORA can be complex, especially with the rapid evolution of threats. AIGovHub's platform offers integrated solutions to streamline this process:

• Automated Threat Monitoring: Our tools continuously scan for indicators of compromise related to threats like Starkiller or Massiv, providing real-time alerts and dashboards to support incident response.
• Compliance Reporting: Generate customized reports for NIS2 incident notifications and DORA resilience testing, ensuring timely submissions to regulators.
• Risk Management Integration: Map security controls to NIST CSF 2.0, ISO 27001, and regulatory requirements, facilitating audits and assessments.

For example, our platform can help organizations track MFA bypass attempts or mobile malware incidents, automating data collection for compliance reports. To assess your readiness, consider our free NIS2 compliance assessment tool, which identifies gaps and provides actionable recommendations.

Key Takeaways for Cybersecurity in 2026

• The Starkiller phishing-as-a-service platform and Massiv Android trojan represent sophisticated threats that require advanced defenses, including phishing-resistant MFA and mobile security protocols.
• NIS2 Directive mandates incident reporting within 24/72 hours and risk management measures, with penalties up to EUR 10 million or 2% of global turnover for non-compliance.
• DORA requires financial entities to implement ICT risk management frameworks and resilience testing, applying from 17 January 2025.
• Mitigation strategies should include strengthening authentication, enhancing mobile security, and adopting risk-based approaches aligned with NIST CSF 2.0 and ISO 27001.
• Tools like AIGovHub's platform can automate threat monitoring and compliance reporting, reducing the burden on security teams.

This content is for informational purposes only and does not constitute legal advice. Organizations should verify current regulatory timelines and consult with experts to ensure compliance. Some links in this article are affiliate links. See our disclosure policy.