WhatsApp Stops NSO Pegasus Spyware Attacks on Users

Meta’s WhatsApp has identified and disrupted a fresh wave of spear-phishing campaigns directly linked to NSO Group, the Israeli spyware firm blacklisted by the U.S. government. As a result, WhatsApp is now petitioning a federal court to hold NSO Group in contempt for violating a permanent injunction issued just last year.

In May 2025, a U.S. federal jury ordered NSO Group to pay $167,254,000 in punitive damages and $444,719 in compensatory damages to WhatsApp following a 2019 campaign that compromised approximately 1,400 users.

That case which began when NSO exploited a buffer overflow vulnerability in WhatsApp’s VOIP stack to silently deliver Pegasus spyware resulted in a permanent injunction barring NSO from ever targeting WhatsApp and its users again.

NSO’s history of defiance is well-documented; court filings revealed the firm continued developing exploits including malware vectors codenamed “Erised” and “Heaven” even after the original lawsuit was filed.

WhatsApp’s latest investigation, triggered by user reports, uncovered NSO-linked accounts attempting to lure users into clicking on malicious external links, a classic 1-click phishing technique previously attributed to NSO Group.

The campaign primarily targeted fewer than 10 users in Jordan and Lebanon, according to a Meta spokesperson, who confirmed no signs of successful device compromise were detected. WhatsApp also identified and took down test accounts and groups created by threat actors to stage the attacks.

WhatsApp Disrupts NSO Attack

WhatsApp is now petitioning the U.S. federal court to hold NSO in contempt of the permanent injunction, arguing that the renewed targeting activity constitutes a direct and willful violation of a binding court order.

NSO’s own CEO has confirmed in court that the company actively seeks “vectors, or ways to access the phone” beyond WhatsApp — including browsers, operating systems, and third-party applications illustrating the persistent and expansive nature of its surveillance-for-hire operations.

WhatsApp is not fighting this battle alone. In May 2026, 12 civil rights organizations filed amicus briefs in support of the permanent injunction against NSO’s appeal.

WhatsApp has also made a significant financial contribution to the Spyware Accountability Initiative (SAI), a fund supporting forensic research organizations, advocacy groups, and user-support networks globally.

Citizen Lab, a key technical partner since 2019, previously leveraged its spyware research to trigger an Apple security update protecting over a billion devices.

Threat Indicators (IOCs)

The following malicious domains have been confirmed as linked to NSO-associated phishing infrastructure. Users and defenders are urged to scan across all platforms — SMS, email, and messaging apps:

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.