WhatsApp detects new spyware activity from Israel’s NSO Group despite court order

WhatsApp says it has uncovered new spyware-related attacks linked to NSO Group, the controversial Israeli surveillance vendor behind Pegasus spyware. It is now asking a U.S. court to hold the company in contempt for allegedly violating a permanent injunction that barred it from targeting WhatsApp users.

Key takeaways

• WhatsApp says it has disrupted new spyware delivery attempts linked to NSO Group
• Meta is seeking a contempt order, arguing NSO violated a court injunction issued after a landmark legal victory
• The latest attacks reportedly relied on phishing-style tactics designed to trick users into clicking malicious links
• Commercial spyware vendors continue to pose risks to journalists, activists, government officials, and other high-profile targets
• The incident demonstrates why spyware regulation and stronger device protection remain critical

What is Pegasus spyware?

Pegasus is among the world's most notorious surveillance tools. Once installed on a device, it can access messages, photos, microphones, cameras, location data, and other sensitive information.

Over the past several years, investigations by security researchers and human rights organizations have linked Pegasus infections to surveillance campaigns targeting journalists, political dissidents, activists, lawyers, diplomats, and government critics around the world.

WhatsApp's original lawsuit, filed in 2019, alleged that NSO exploited vulnerabilities in the messaging platform to infect users with Pegasus spyware.

The case became one of the most significant legal challenges ever brought against the commercial spyware industry.

WhatsApp detects new spyware attacks on its platform

WhatsApp parent company Meta announced this week that WhatsApp detected and disrupted a new campaign involving accounts and groups allegedly connected to NSO Group.

The activity resembled previous Pegasus deployment methods and involved spear-phishing attempts designed to lure targets to malicious websites, the company says.

From Meta’s June 8 blog post:

We successfully disrupted NSO-linked social engineering attempts, after investigating user reports. They tried to trick people into clicking on malicious links to drive them to external websites outside of WhatsApp, similar to previously reported 1-click phishing campaigns linked to NSO. We also caught them creating test accounts and groups on WhatsApp, which we took down.

The move comes after WhatsApp secured a major legal victory against NSO Group roughly a year ago, when a U.S. court permanently barred the spyware vendor from targeting WhatsApp or its users. The court had found NSO Group liable for exploiting WhatsApp to deploy Pegasus spyware.

Meta said this newly discovered activity demonstrates that NSO continues to develop and deploy spyware capabilities despite legal restrictions and placement on the U.S. Commerce Department's Entity List.

The company is also sharing the malicious domains (URLs) associated with this new campaign “so that anyone can check if they were targeted by NSO-linked social engineering attempts across any platform — be it text message, email, WhatsApp message, or something else.”

Malicious domains:

hxxps://ikhwancast[.]com

hxxps://ghazacast[.]com

hxxps://fr24cast[.]com

From zero-click to one-click attacks

The latest campaign appears to differ from some of Pegasus' most sophisticated past operations.

According to reports, the new attacks relied on so-called “one-click” techniques that require victims to interact with a malicious link. Earlier Pegasus campaigns often leveraged “zero-click” vulnerabilities, compromising devices without any user interaction at all.

While requiring a click may sound less dangerous, phishing remains one of the most effective attack techniques available to cybercriminals and spyware operators alike. Carefully crafted messages that impersonate banks, delivery services, employers, or government agencies can still convince victims to interact with malicious content.

Warning signs of spyware infection

Advanced spyware is difficult to detect, with many sophisticated infections leaving no obvious indicators. However, the typical warning signs (if any) include:

• Rapid battery drain
• Overheating without explanation
• Increased data usage
• Random crashes or reboots
• Microphone or camera activating unexpectedly
• Strange messages or calls
• Apps requesting unusual permissions

How to protect yourself

While most users are unlikely to be targeted by mercenary spyware, the tactics used to deliver these tools often overlap with ordinary phishing attacks.

To reduce your risk:

• Keep WhatsApp, your operating system, and all apps fully updated.
• Be cautious with unexpected links, even if they appear to come from trusted contacts.
• Enable advanced security features offered by your device.
• Use multi-factor authentication wherever possible.
• Pay attention to unusual device behavior such as unexplained battery drain, overheating, or unexpected network activity.
• High-risk individuals—including journalists, activists, executives, and government officials—should consider enhanced device protections and security monitoring.
• Apple’s Lockdown Mode and similar hardened security features can reduce attack surfaces for users who may face elevated risk; these protections may restrict some functionality but can help block advanced exploit techniques.

To further reduce your risk, use a reputable mobile security solution that can detect malicious apps, phishing attempts, suspicious behavior, and known attack indicators. Security tools also block malicious websites used in spyware delivery campaigns.

Try Bitdefender Mobile Security for iOS

Try Bitdefender Mobile Security for Android

You may also want to read:

Zero-day phone hacks: how spyware slips into your device before anyone knows

What is lockdown mode on iPhone and Mac? How Apple’s spyware shield works – and when to use it

Instagram drops encrypted DMs — what this means for you