NSO Group Defies Court Order With New WhatsApp Phishing Wave

WhatsApp caught NSO Group running phishing operations against its users barely months after a federal court barred the spyware vendor from ever targeting the platform again. Meta disclosed the activity on June 8, 2026, and filed a contempt motion arguing NSO violated the permanent injunction issued in October 2025.

The campaign targeted fewer than 10 users, primarily in Jordan and Lebanon—regions where surveillance operations against journalists and activists have been documented repeatedly over the past year.

How the Attack Worked

NSO employed classic one-click phishing tactics rather than the zero-click exploits the company became infamous for. Attackers sent malicious links through various channels—SMS, email, and messaging apps—attempting to lure targets to external websites that would facilitate Pegasus deployment. The technique mirrors other recent phishing campaigns targeting enterprise messaging platforms, though NSO's infrastructure and targeting profile remain distinctly nation-state grade.

Meta identified three domains tied to the activity:

• hxxps://ikhwancast[.]com
• hxxps://ghazacast[.]com
• hxxps://fr24cast[.]com

The domain names suggest targeting Arabic-speaking users, with "ikhwan" referencing the Arabic word for "brothers" commonly associated with the Muslim Brotherhood. NSO also created test accounts and groups on WhatsApp itself, which Meta promptly removed.

WhatsApp detected and disrupted the campaign before confirming any successful compromises. The company shared threat indicators publicly so users across all platforms could check whether they were targeted.

Legal Context

The timing makes NSO's position particularly precarious. In December 2024, a federal judge found NSO liable for hacking violations after a five-year legal battle stemming from a 2019 campaign that compromised over 1,400 WhatsApp users. A jury in May 2025 awarded Meta approximately 168 million dollars in damages—later reduced to 4 million through judicial review.

More critically, the October 2025 permanent injunction explicitly barred NSO from targeting WhatsApp and its users. WhatsApp argues the newly discovered phishing campaign constitutes a clear violation of that order.

NSO Group declined to comment when contacted by reporters.

Why This Matters

Commercial spyware vendors have operated in a regulatory gray zone for years, marketing surveillance tools to governments while maintaining plausible deniability about how clients deploy them. The Pegasus Project investigation in 2021 revealed that governments had used NSO tools against at least 200 journalists across 24 countries, along with political dissidents, lawyers, and human rights activists.

The US Commerce Department added NSO to its Entity List in November 2021, effectively blacklisting the company from purchasing American technology. Yet NSO continues operating, and its CEO has publicly acknowledged the company "looks for vectors, or ways to access the phone" beyond any single platform—browsers, operating systems, and messaging applications all remain in scope.

This latest incident demonstrates that court injunctions may not deter surveillance vendors from continuing operations. If the court finds NSO in contempt, it could impose additional sanctions, fines, or even criminal referrals—though enforcement against an Israeli company operating internationally presents obvious challenges.

Broader Spyware Landscape

NSO isn't alone in targeting mobile devices. The ZeroDayRAT spyware platform discovered earlier this year offers similar capabilities—live surveillance, OTP interception, and crypto theft—marketed openly on Telegram to any criminal willing to pay. The commercialization of surveillance technology continues accelerating, with capabilities once reserved for nation-states now available to a much wider buyer pool.

Apple has issued multiple emergency patches this year for WebKit vulnerabilities linked to Pegasus-style attacks, including zero-days targeting iOS and macOS users that the company attributed to sophisticated threat actors.

WhatsApp's Response

Beyond the legal filing, WhatsApp announced a significant donation to the Spyware Accountability Initiative, a global fund supporting organizations that conduct forensic research, provide user assistance, and advocate against spyware abuse. SAI has awarded over 12 million dollars in grants to more than 45 organizations across six continents since 2023.

WhatsApp also emphasized that easing restrictions on NSO would "undermine US national security and put American companies and billions of people worldwide who depend on secure communications at risk."

Protecting Yourself

Users who suspect they may be surveillance targets should:

• Keep apps and operating systems updated immediately when patches release
• Enable strict account settings on WhatsApp and other messaging platforms
• Scan SMS, email, and messaging apps for messages containing the identified malicious domains
• Report suspicious activity directly to the platform
• Consider using Lockdown Mode on iOS devices if facing sophisticated threats

The contempt hearing will determine whether NSO faces additional penalties for the continued targeting. For now, the incident serves as another reminder that legal victories against surveillance vendors don't automatically translate into changed behavior—a reality that should inform how users in at-risk categories approach their digital security.

For more coverage of surveillance threats and social engineering tactics, follow our ongoing security news coverage.