WhatsApp Caught NSO Phishing — Again
Here's the thing about court orders and spyware vendors: they don't always stick. WhatsApp just announced it disrupted a fresh round of NSO Group-linked spear-phishing attacks after users reported suspicious social engineering attempts, and the company is now asking a federal judge to hold NSO in contempt for violating a permanent injunction that was supposed to stop exactly this kind of thing.
Meta's announcement dropped on June 8, 2026, and it reads less like a victory lap and more like a warning. NSO — the Israeli firm behind Pegasus, the commercial spyware tool that's been deployed against politicians, journalists, activists, and academics worldwide — kept targeting WhatsApp users. They tried to lure people into clicking malicious links that redirected outside the app, similar to previously documented one-click phishing campaigns. They also created test accounts and groups on WhatsApp, which Meta caught and took down.
"We successfully disrupted NSO-linked social engineering attempts, after investigating user reports," Meta said. "They tried to trick people into clicking on malicious links to drive them to external websites outside of WhatsApp, similar to previously reported 1-click phishing campaigns linked to NSO. We also caught them creating test accounts and groups on WhatsApp, which we took down."
The domains Meta flagged as indicators of compromise are ikhwancast.com, ghazacast.com, and fr24cast.com. If you see any of those in a link shared through WhatsApp, don't click it. Report it. Block it. Do something — because the people behind these campaigns aren't amateurs.
I've been tracking NSO's legal troubles since the early days of the Meta lawsuit, and honestly? This feels like whack-a-mole with a side of frustration. The court said stop. They stopped — or at least they tried to look like they did. Then Meta found them doing it again through social engineering instead of zero-days. That's not compliance. That's evasion.
The Attack Pattern: Social Engineering, Not Zero-Days This Time
What's interesting about this particular campaign is the pivot in technique. Previous NSO attacks against WhatsApp relied heavily on zero-day vulnerabilities — exploiting flaws in the app itself to silently install Pegasus. This time, they went old school: phishing links and fake accounts.
The malicious domains Meta identified — ikhwancast.com, ghazacast.com, and fr24cast.com — were being used to redirect targets to external websites designed to trick users into downloading spyware or handing over credentials. The pattern matches what we've seen from NSO before: plausible-looking domains that hint at legitimate services (cast platforms, news feeds) but are actually phishing infrastructure.
Meta also caught NSO creating test accounts and groups on the platform. That's a significant operational detail. It means they weren't just sending links — they were building out the social engineering environment, setting up groups to make the attacks look organic, testing their payloads before going live. This is methodical work. It's also exactly the kind of activity that should trigger faster automated detection if Meta's security teams had the right signals in place.
I'll say this for WhatsApp: they're doing the user-reporting pipeline right. Users flagged suspicious activity, Meta investigated, confirmed the threat, and took down the infrastructure. That's how it should work. But user-reported attacks are still reactive by nature, and the gap between someone clicking a malicious link and Meta catching it is where the damage happens.
The fact that NSO switched from zero-day exploitation to social engineering tells you something important about their constraints. The court injunction, the sanctions, the public shaming — it all raised the cost of doing business. So they adapted. They found a vector that doesn't require exploiting WhatsApp's code directly and instead targets the human layer. That's not a weakness in Meta's defenses. It's a reminder that no amount of end-to-end encryption can protect you from someone convincing you to click a link.
The Legal Battle: From Lawsuit to Contempt Filing
To understand why this contempt motion matters, you need the timeline. It goes back to 2019, when WhatsApp first sued NSO after discovering that a zero-day vulnerability had been exploited to deliver Pegasus spyware to users. The case wound through the federal courts for years, and here's where it got interesting:
In December 2024, a judge ruled that NSO was liable for exploiting WhatsApp servers to deploy Pegasus targeting over 1,400 individuals globally. That's not a theoretical number — that's 1,400 real people whose phones were compromised by state-sponsored spyware.
In May 2025, a jury ordered NSO to pay more than $444,000 in compensatory damages plus $167 million in punitive damages. NSO appealed, of course. In October 2025, the judge reduced the punitive damages to $4 million but granted WhatsApp a permanent injunction barring NSO from hacking its users. That's the order NSO is now allegedly violating.
And here's the part that makes me angry: NSO's CEO stated in court that the company seeks access vectors beyond WhatsApp. They told a federal judge — under oath, in open court — that they were looking for new ways to target WhatsApp users. And then Meta found them doing exactly that through phishing campaigns.
Meta filed a contempt motion asking the federal judge to hold NSO in contempt of that 2025 injunction. This isn't just about punishing past behavior — it's about establishing that the court order has teeth. If contempt doesn't work, what does? Fines? NSO's already been fined. Incarceration of corporate officers? That's a much higher bar.
Nearly a dozen civil society organizations filed an amicus brief with the Ninth Circuit Court of Appeals to maintain the lower court's permanent injunction. That's significant. It shows that the broader ecosystem — privacy advocates, press freedom groups, human rights organizations — sees this as a case that goes well beyond WhatsApp's commercial interests. When civil society lines up behind a company in a spyware case, it means the stakes are about something bigger than platform security.
Broader Context: Sanctions, Surveillance, and the Spyware Economy
NSO has been on the U.S. sanctioned entities list since November 2021, when the Commerce Department added them for supplying foreign governments with software products used against people and organizations in the United States. Tools from NSO were also used by regimes considered repressive that targeted dissidents outside their borders.
Here's what bothers me about the sanctions situation: being on a sanctions list should make it illegal for U.S. persons and entities to do business with you. It should restrict your access to the U.S. financial system, to American technology, to basic commercial infrastructure. But NSO keeps operating. They keep developing their tools. They keep targeting platforms like WhatsApp despite the legal and financial consequences.
The sanctions are a tool, but they're not a wall. And the gap between "sanctioned entity" and "unable to operate" is where companies like NSO live.
WhatsApp also noted that it's making a "significant contribution" to the Spyware Accountability Initiative, a fund supporting work aimed at exposing and stopping spyware abuse. That's a positive step — putting money where the problem is, funding the kind of research and advocacy that helps hold these vendors accountable. But it's also a admission that the current regulatory framework isn't sufficient on its own.
The broader spyware economy is a problem that won't be solved by one court case or one platform's security improvements. NSO isn't the only commercial spyware vendor operating in this space, and they're not even the most aggressive one by some measures. But they're the one that got caught targeting WhatsApp at scale, and the legal precedent set by this case could matter for how all of these vendors are treated going forward.
What Users Can Actually Do About It
Meta's guidance on user protections is straightforward, and I appreciate that they're not burying the recommendations in legal language:
End-to-end encryption protects your messages and calls from Pegasus. This is non-negotiable — WhatsApp's default E2EE means that even if someone intercepts your traffic, they can't read the content. But here's the catch: E2EE only protects what happens inside WhatsApp. It doesn't protect you from being tricked into clicking a malicious link that takes you outside the app.
Keep your apps and operating systems updated. This sounds like a no-brainer, but it's the single most effective defense against zero-day exploitation. When Meta patches a vulnerability, that patch goes out to billions of devices. Users who don't update are essentially leaving their doors unlocked.
Enable "Strict Account Settings" — WhatsApp's lockdown-style feature that reduces your attack surface. This means turning on two-step verification, disabling link previews, locking your profile info to contacts only, and restricting who can add you to groups. It's the digital equivalent of closing your blinds and locking every door.
iOS users can enable Lockdown Mode, which is Apple's most restrictive security posture. Android users can activate Advanced Protection through Google. Both are designed specifically to reduce the attack surface and data exposure to spyware.
I'll be honest: most people won't do any of this. They'll keep their phones on auto-update (good), but they won't enable Strict Account Settings because it's slightly inconvenient. They'll ignore Lockdown Mode because it makes their phone feel restricted. And that's exactly the gap that attackers exploit.
The human layer is always the weakest link. No amount of encryption, no matter how rigorously implemented, can compensate for a user clicking a link they shouldn't have. That's why Meta's emphasis on user reporting matters so much — it turns every WhatsApp user into a potential early-warning system.
Why This Matters Beyond WhatsApp
This story matters because it demonstrates a pattern: sanctioned spyware vendors will keep finding new ways to target platforms, regardless of legal consequences. The court order didn't stop NSO — it just changed their tactics from zero-day exploitation to social engineering.
The contempt motion is important, but it's also a signal. It tells other spyware vendors that platforms are watching, that legal consequences are real, and that violations won't go unchallenged. That's the kind of deterrence that actually works in this space — not just fines, but the credible threat of contempt proceedings that could escalate to personal liability for corporate officers.
The civil society amicus brief is equally significant. When privacy advocates, press freedom groups, and human rights organizations line up behind a platform in a spyware case, it reframes the issue from "corporate security" to "fundamental rights." That matters for public opinion, for policy, and for the broader conversation about how we regulate commercial surveillance tools.
WhatsApp's contribution to the Spyware Accountability Initiative is a step in the right direction, but it's not enough. The spyware economy needs structural change — stricter export controls, more aggressive sanctions enforcement, international coordination on vendor accountability. One company's security improvements can't solve a problem that's fundamentally political and economic in nature.
But here's what I'll hold onto: Meta is fighting back. They're using the courts, they're sharing threat intelligence, they're empowering users to report suspicious activity. It's not a perfect defense, but it's better than doing nothing. And in the war against commercial spyware, "better" is the only word that matters.
