Meta’s WhatsApp has successfully identified and halted a new series of spear-phishing attacks tied to the NSO Group, an Israeli firm known for its controversial spyware, Pegasus. This development has prompted WhatsApp to urge a federal court to hold NSO in contempt for breaching a previous court order issued last year.
Legal Battle Against NSO Group
In May 2025, a U.S. federal jury mandated NSO Group to pay significant damages to WhatsApp, amounting to over $600 million. This ruling came after NSO exploited a vulnerability in WhatsApp’s VOIP stack in 2019, affecting around 1,400 users with its Pegasus spyware. The court had subsequently issued a permanent injunction against NSO, prohibiting any future targeting of WhatsApp users.
Despite the court’s decision, NSO has been persistent in its activities. Court documents indicate the firm continued to develop new exploits, including malware codenamed ‘Erised’ and ‘Heaven’, even after the lawsuit was initiated.
Recent Phishing Campaign Uncovered
WhatsApp’s latest probe, following user complaints, revealed NSO-affiliated accounts employing phishing tactics. These involved deceptive links aimed at compromising user devices. Notably, fewer than ten individuals in Jordan and Lebanon were targeted, with no successful breaches reported. WhatsApp swiftly dismantled test accounts and groups orchestrated by the perpetrators.
The messaging platform is now requesting the U.S. federal court to declare NSO in contempt of the injunction, arguing that the renewed phishing campaign is a deliberate breach of the court’s binding order.
Support and Future Measures
WhatsApp’s efforts are bolstered by a coalition of support. In May 2026, twelve civil rights organizations submitted briefs supporting the injunction. Additionally, WhatsApp has contributed to the Spyware Accountability Initiative, a fund backing global forensic research and advocacy groups.
Collaborating with Citizen Lab, a technical partner since 2019, WhatsApp has previously helped instigate an Apple security update that safeguarded over a billion devices from similar threats.
Users are advised to stay vigilant against phishing attempts, particularly those involving the following malicious domains: hxxps://ikhwancast[.]com, hxxps://ghazacast[.]com, and hxxps://fr24cast[.]com. Continuous monitoring across all communication platforms is crucial to thwart future attacks.
