WhatsApp Disrupts New NSO Group Spear-Phishing Campaign, Seeks Contempt Ruling
Meta’s WhatsApp has uncovered and blocked a fresh spear-phishing campaign linked to NSO Group, the Israeli spyware firm blacklisted by the U.S. government, and is now petitioning a federal court to hold the company in contempt for violating a 2024 permanent injunction.
In May 2025, a U.S. federal jury ordered NSO Group to pay $167.25 million in punitive damages and $444,719 in compensatory damages to WhatsApp after a 2019 attack exploited a buffer overflow vulnerability in WhatsApp’s VOIP stack to deliver Pegasus spyware, compromising approximately 1,400 users. The court’s injunction explicitly barred NSO from targeting WhatsApp or its users again.
Despite this, WhatsApp’s latest investigation triggered by user reports identified NSO-linked accounts attempting to trick users into clicking malicious external links, a tactic consistent with the firm’s past operations. The campaign targeted fewer than 10 users in Jordan and Lebanon, with no evidence of successful device compromise. WhatsApp dismantled test accounts and groups used to stage the attacks.
NSO Group’s defiance extends beyond WhatsApp. Court filings reveal the company continued developing exploits, including malware vectors codenamed Erised and Heaven, even after the original lawsuit. NSO’s CEO has publicly acknowledged the firm’s efforts to exploit vulnerabilities in browsers, operating systems, and third-party apps, underscoring its expansive surveillance operations.
WhatsApp’s legal action is supported by 12 civil rights organizations, which filed amicus briefs in May 2026 backing the permanent injunction against NSO’s appeal. Additionally, WhatsApp has contributed funding to the Spyware Accountability Initiative (SAI), a global effort supporting forensic research, advocacy, and user-support networks. Technical partner Citizen Lab, which has collaborated with WhatsApp since 2019, previously helped Apple issue a security update protecting over a billion devices.
Threat Indicators (IOCs):
- Malicious domains linked to NSO-associated phishing infrastructure:
hxxps://ikhwancast[.]comhxxps://ghazacast[.]comhxxps://fr24cast[.]comSource: https://cybersecuritynews.com/whatsapp-disrupts-nso-cyberattack/
WhatsApp cybersecurity rating report: https://www.rankiteo.com/company/whatsapp.
"id": "WHA1780936187",
"linkid": "whatsapp.",
"type": "Cyber Attack",
"date": "5/2026",
"severity": "60",
"impact": "2",
"explanation": "Attack limited on finance or reputation"{'affected_entities': [{'customers_affected': 'Fewer than 10 users (targeted '
'in Jordan and Lebanon)',
'industry': 'Messaging, Social Media',
'location': 'Global (Headquartered in the U.S.)',
'name': 'WhatsApp (Meta)',
'size': 'Large',
'type': 'Technology Company'}],
'attack_vector': 'Malicious external links',
'date_detected': '2025-05',
'description': 'Meta’s WhatsApp uncovered and blocked a fresh spear-phishing '
'campaign linked to NSO Group, the Israeli spyware firm '
'blacklisted by the U.S. government. WhatsApp is petitioning a '
'federal court to hold NSO Group in contempt for violating a '
'2024 permanent injunction. The campaign targeted fewer than '
'10 users in Jordan and Lebanon, with no evidence of '
'successful device compromise. WhatsApp dismantled test '
'accounts and groups used to stage the attacks.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'repeated targeting',
'financial_loss': '$444,719 (compensatory damages from 2019 '
'attack)',
'legal_liabilities': '$167.25 million (punitive damages from 2019 '
'attack)',
'operational_impact': 'Disruption of phishing campaign, legal '
'proceedings',
'systems_affected': 'WhatsApp user accounts'},
'investigation_status': 'Ongoing (legal proceedings active)',
'lessons_learned': 'NSO Group continues to defy court orders and develop new '
'exploit vectors despite legal consequences. Collaboration '
'with civil rights organizations and technical partners is '
'critical for threat disruption.',
'motivation': 'Surveillance, Espionage',
'post_incident_analysis': {'corrective_actions': 'Legal action to enforce '
'injunction, collaboration '
'with technical partners '
'(e.g., Citizen Lab), and '
'support for global spyware '
'accountability initiatives.',
'root_causes': 'NSO Group’s continued development '
'of exploit vectors (e.g., '
'*Erised*, *Heaven*) despite legal '
'injunctions. Exploitation of '
'vulnerabilities in browsers, '
'operating systems, and third-party '
'apps.'},
'recommendations': 'Enhance monitoring for spear-phishing campaigns, '
'strengthen legal actions against repeat offenders, and '
'invest in global spyware accountability initiatives.',
'references': [{'source': 'WhatsApp Legal Filings'},
{'source': 'Citizen Lab'},
{'source': 'U.S. Federal Court Ruling'}],
'regulatory_compliance': {'legal_actions': 'Federal court injunction, '
'contempt petition, $167.25 '
'million punitive damages awarded '
'in 2025'},
'response': {'communication_strategy': 'Legal action, public disclosure of '
'campaign',
'containment_measures': 'Dismantled test accounts and groups '
'used to stage attacks, blocked '
'malicious domains',
'incident_response_plan_activated': True,
'third_party_assistance': 'Citizen Lab (technical partner)'},
'stakeholder_advisories': '12 civil rights organizations filed amicus briefs '
'supporting WhatsApp’s legal action. Funding '
'provided to Spyware Accountability Initiative '
'(SAI).',
'threat_actor': 'NSO Group',
'title': 'WhatsApp Disrupts New NSO Group Spear-Phishing Campaign, Seeks '
'Contempt Ruling',
'type': 'Spear-Phishing'}