Meta Blocks NSO Group WhatsApp Phishing Attack, Files Contempt Order

Meta announced on Monday that it detected and neutralized a new wave of spear-phishing campaigns orchestrated by Israeli commercial spyware vendor NSO Group, targeting journalists, activists, and other high-risk individuals through WhatsApp. The attackers used one-click phishing lures designed to redirect victims to external malicious websites outside the WhatsApp ecosystem, a tactic consistent with previously documented NSO Group operations leveraging its Pegasus surveillance suite. Meta also disclosed that NSO Group had been operating test accounts and groups on the platform, which have since been suspended.

The three malicious domains linked to the campaign were identified as fr24cast[.]com, ghazacast[.]com, and ikhwancast[.]com. Researchers and at-risk users can investigate these indicators using a WHOIS lookup to trace registration metadata and hosting infrastructure. This action marks the latest escalation in a years-long legal battle, with Meta filing a federal contempt order alleging that NSO Group violated a permanent injunction barring it from targeting WhatsApp and its users. The filing follows a 2025 ruling in which NSO Group was ordered to pay approximately $168 million in damages after a U.S. court found the company exploited WhatsApp servers to deploy Pegasus against more than 1,400 individuals globally. NSO Group was also added to the U.S. Commerce Department blocklist in 2021 for activities deemed contrary to U.S. national security interests.

"WhatsApp users' personal messages and calls remain protected with default end-to-end encryption," Meta stated, emphasizing that the underlying messaging protocol was not compromised. However, the company urged users to keep their apps and devices updated and to report any suspicious activity. For individuals at elevated risk, Meta has activated a "Strict Account Settings" feature that hardens account defenses by enabling two-step verification, disabling link previews, locking last-seen, profile photo, About details, and profile links to contacts only, and restricting group additions to known contacts. Users concerned about account exposure can run a privacy checkup to review their current configuration or verify their contact details against known compromises using an email breach checker.

The case underscores the persistent threat posed by mercenary spyware operations and the limits of platform-level defenses against well-resourced adversaries. While encryption protects message content in transit, the human element, clicking a single link, remains the primary attack vector for sophisticated phishing campaigns. As commercial spyware vendors continue to evolve their tradecraft, layered security hygiene, including hardened account settings, device updates, and awareness of social engineering lures, remains the most effective defense for journalists, dissidents, and civil society targets.