WhatsApp has detected and shut down a coordinated spear phishing campaign linked to NSO Group, the Israeli surveillance technology firm behind the Pegasus spyware platform.
The Meta-owned messaging service is now pursuing a federal court contempt order against NSO, alleging the company violated a permanent injunction that explicitly prohibited it from targeting WhatsApp infrastructure or its users.
The contempt filing follows WhatsApp’s landmark May 2025 court victory, in which a federal court found NSO violated both federal and state hacking laws. The accompanying permanent injunction was designed to serve as a definitive legal barrier that WhatsApp now claims NSO has openly defied.
WhatsApp’s security team, acting on user-submitted reports, identified and dismantled a multi-vector social engineering campaign operationally consistent with NSO’s previously documented offensive tactics. The attack chain included two primary components:
- Malicious link delivery — Threat actors attempted to redirect targets to external phishing domains outside the WhatsApp ecosystem, consistent with one-click exploit delivery methods previously attributed to NSO and documented by Access Now in Jordan-based targeting operations
- Fake account and group infrastructure — NSO-linked operators created test accounts and WhatsApp groups as operational staging environments, all of which have since been taken down
In court proceedings, NSO’s own CEO acknowledged that the firm actively seeks “vectors, or ways to access the phone” beyond WhatsApp alone including browsers, operating systems, and third-party applications confirming the broad attack surface that security teams must account for.
Indicators of Compromise (IOCs)
WhatsApp is publicly disclosing the following malicious domains identified during the investigation. Security teams should immediately flag or block these indicators across endpoint, email, DNS, and network monitoring environments:
hxxps://ikhwancast[.]comhxxps://ghazacast[.]comhxxps://fr24cast[.]com
These domains were used to deliver phishing payloads and may have been deployed across multiple vectors beyond WhatsApp, including SMS and email channels.
The case has generated significant momentum within civil society. Twelve prominent civil rights organizations recently filed amicus briefs opposing NSO’s appeal of the permanent injunction, reflecting broad institutional resistance to commercial spyware operations.
WhatsApp is also contributing financially to the Spyware Accountability Initiative (SAI), a fund supporting forensic research, victim advocacy, and civil society organizations globally.
The initiative’s practical impact is already measurable: a Citizen Lab zero-day discovery previously triggered an Apple security patch deployed to over one billion devices, and a Greek court this year issued the first-ever criminal conviction of spyware company executives, built in part on Citizen Lab forensic evidence.
WhatsApp urges all users to keep applications and device operating systems fully updated and to report suspicious messages immediately through the platform’s built-in reporting tools.
For individuals at elevated risk, including journalists, government officials, and humanitarian workers, the platform strongly recommends enabling strict account protection settings.
All personal messages and calls on WhatsApp remain protected by default end-to-end encryption. The contempt motion underscores a broader reality the security community has long recognized: court-enforced restrictions against commercial spyware vendors require sustained, active legal defense. No single platform can neutralize the threat posed by the commercial surveillance industry operating alone.
Site: thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
