WhatsApp Thwarts NSO Group’s Latest Pegasus Spyware Attack
In a significant development in the ongoing battle against cyber espionage, Meta’s WhatsApp has successfully identified and disrupted a new spear-phishing campaign linked to the Israeli spyware firm NSO Group. This action comes after a U.S. federal jury ordered NSO Group to pay substantial damages to WhatsApp in May 2025 for previous cyberattacks.
Background on NSO Group’s Activities
NSO Group, known for its controversial Pegasus spyware, has a history of exploiting vulnerabilities in communication platforms to infiltrate devices. In 2019, the company exploited a buffer overflow vulnerability in WhatsApp’s VOIP stack, compromising approximately 1,400 users globally. This led to a lawsuit by WhatsApp, resulting in a permanent injunction barring NSO from targeting the platform and its users.
Recent Spear-Phishing Campaign
Despite the injunction, WhatsApp’s recent investigation, prompted by user reports, uncovered NSO-linked accounts attempting to lure users into clicking on malicious external links—a classic one-click phishing technique. The campaign primarily targeted fewer than ten users in Jordan and Lebanon. Fortunately, no successful device compromises were detected. WhatsApp promptly identified and dismantled test accounts and groups created by the threat actors to stage these attacks.
Legal Actions and Industry Response
In response to this renewed targeting, WhatsApp is petitioning the U.S. federal court to hold NSO in contempt of the permanent injunction, arguing that the recent activities constitute a direct and willful violation of a binding court order. NSO’s CEO has previously confirmed in court that the company actively seeks new vectors to access phones, including browsers, operating systems, and third-party applications, illustrating the persistent nature of its surveillance operations.
WhatsApp’s efforts are bolstered by support from civil rights organizations. In May 2026, twelve such organizations filed amicus briefs in favor of the permanent injunction against NSO’s appeal. Additionally, WhatsApp has contributed significantly to the Spyware Accountability Initiative (SAI), a fund supporting forensic research organizations, advocacy groups, and user-support networks globally.
Indicators of Compromise (IOCs)
Users and cybersecurity defenders are urged to be vigilant. The following malicious domains have been confirmed as linked to NSO-associated phishing infrastructure:
– hxxps://ikhwancast[.]com
– hxxps://ghazacast[.]com
– hxxps://fr24cast[.]com
It’s crucial to monitor all platforms, including SMS, email, and messaging apps, for any interactions with these domains.
Conclusion
WhatsApp’s proactive measures against NSO Group’s latest cyberattack underscore the ongoing challenges in safeguarding user privacy against sophisticated spyware. The collaboration between tech companies, legal systems, and civil rights organizations plays a pivotal role in holding malicious actors accountable and protecting global users from unauthorized surveillance.
