Meta’s WhatsApp has identified and disrupted a fresh wave of spear-phishing campaigns linked to NSO Group, the Israeli spyware firm blacklisted by the U.S. government. WhatsApp is now asking a federal court to hold NSO in contempt, arguing the renewed attacks directly violate a permanent injunction issued after a landmark 2025 trial.
Background: NSO’s Legal Troubles
In May 2025, a U.S. federal jury ordered NSO Group to pay $167,254,000 in punitive damages and $444,719 in compensatory damages to WhatsApp following a 2019 campaign that compromised approximately 1,400 users. That campaign exploited a buffer overflow vulnerability in WhatsApp’s VOIP stack to silently deliver Pegasus spyware without any user interaction.
The court issued a permanent injunction barring NSO from ever targeting WhatsApp and its users again. NSO’s history of defiance, however, is well-documented — court filings revealed the firm continued developing new exploit vectors codenamed “Erised” and “Heaven” even after the original lawsuit was filed.
The New Campaign
WhatsApp’s latest investigation, triggered by user reports, uncovered NSO-linked accounts attempting to lure users into clicking on malicious external links — a classic 1-click phishing technique previously attributed to NSO Group. The campaign primarily targeted fewer than 10 users in Jordan and Lebanon, according to a Meta spokesperson.
WhatsApp confirmed no signs of successful device compromise were detected during this campaign. The platform also identified and took down test accounts and groups created by threat actors to stage the attacks before they could reach additional victims.
Contempt Motion and Legal Action
WhatsApp is now petitioning the U.S. federal court to hold NSO in contempt of the permanent injunction, arguing that the renewed targeting activity constitutes a direct and willful violation of a binding court order. NSO’s own CEO has confirmed in court that the company actively seeks new vectors to access target devices — including browsers, operating systems, and third-party applications — illustrating the persistent and expansive nature of its surveillance-for-hire operations.
In May 2026, 12 civil rights organizations filed amicus briefs in support of the permanent injunction against NSO’s appeal, adding significant weight to the ongoing legal battle.
Industry Response and Funding
WhatsApp has made a significant financial contribution to the Spyware Accountability Initiative (SAI), a fund supporting forensic research organizations, advocacy groups, and user-support networks globally. Citizen Lab, a key technical partner since 2019, previously leveraged its spyware research to trigger an Apple security update that protected over a billion devices.
Indicators of Compromise (IOCs)
The following malicious domains have been confirmed as linked to NSO-associated phishing infrastructure. Users and defenders are urged to scan across all platforms — SMS, email, and messaging apps:
ikhwancast[.]comghazacast[.]comfr24cast[.]com
What Users Should Do
While this campaign targeted a small number of high-risk individuals, the broader implications are significant. NSO Group’s tools have historically been used against journalists, activists, lawyers, and government officials worldwide. Recommended defensive measures include:
- Enable lockdown mode on iPhones for high-risk individuals
- Avoid clicking unknown links sent via any messaging platform
- Keep devices and applications updated to ensure the latest security patches are applied
- Use Citizen Lab’s or Amnesty International’s detection tools if compromise is suspected
The renewed campaign underscores that commercial spyware vendors pose a persistent, ongoing threat regardless of legal sanctions. WhatsApp’s contempt motion, if successful, could set a significant precedent for accountability in the mercenary spyware industry.