WhatsApp has detected and stopped spear phishing campaigns allegedly linked to the NSO Group after investigating user reports about social engineering attacks.
NSO Group is an Israeli commercial spyware company best known for Pegasus, an advanced spyware tool that has reportedly been used to target politicians, activists, journalists, academics, and other high-profile individuals. The company has been on the U.S. sanctioned entities list since November 2021 for supplying foreign governments with spyware tools that were used against people and organizations in the United States. Its tools have also been linked to governments accused of targeting dissidents outside their borders.
Despite those restrictions, Meta says NSO Group continued targeting WhatsApp users, including through attacks that previously used zero-day vulnerabilities. WhatsApp’s parent company, Meta, has also taken legal action against NSO Group in U.S. courts. In 2025, Meta secured a permanent injunction against the company, along with a declaration of liability for 1,400 infections and a $167 million fine.
According to Meta’s latest announcement, those court rulings have not stopped activity targeting some WhatsApp users. Meta said attackers tried to trick people into clicking on malicious links that redirected them to external websites outside WhatsApp. The company said the campaign looked similar to earlier one-click phishing attacks linked to NSO Group.
Meta said it successfully disrupted the NSO-linked social engineering attempts after reviewing reports from users. The company also said it detected test accounts and groups created on WhatsApp as part of the activity and removed them from the platform.
The company listed several domains as indicators of compromise connected to the detected attacks, including ikhwancast[.]com, ghazacast[.]com, and fr24cast[.]com.
Meta argues that this activity violates the 2025 court order that permanently blocks NSO Group from targeting WhatsApp or its users. The company also said the incident highlights the security risks posed by commercial spyware vendors, especially when their tools are used to target sensitive individuals or organizations.
WhatsApp said end-to-end encryption helps protect users’ messages and calls from Pegasus and other spyware. However, the company urged users to keep WhatsApp and their device operating systems updated for stronger protection.
Users who face a higher risk of spyware attacks can also enable extra security protections on their devices. Android users can turn on Advanced Protection, while iPhone users can enable Lockdown Mode. Both features are designed to reduce the attack surface and limit exposure to advanced spyware attacks.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
