WhatsApp says it disrupted new NSO spyware phishing attacks
by Bill Toulas · BleepingComputerWhatsApp has detected and stopped spear-phishing campaigns allegedly conducted by the NSO Group after investigating user reports of social engineering attacks.
The NSO Group is an Israeli commercial spyware vendor known for its advanced “Pegasus” tool that has been deployed against politicians, activists, journalists, academics, and other “high-interest” individuals.
The firm has been on the U.S. sanctioned entities list since November 2021, due to supplying to foreign governments software products that were used against people and organizations in the U.S. Tools from NSO were also used by regimes considered repressive that targeted dissidents outside their borders.
Despite that, NSO continued to target WhatsApp users, on multiple occasions using zero-day vulnerabilities.
WhatsApp's parent company, Meta, has fought NSO Group in U.S. courts, securing a permanent injunction against it in 2025, a declaration of liability for 1,400 infections, and an associated $167,000,000 fine.
According to Meta’s latest announcement, these prior rulings have not deterred NSO Group's activities targeting certain WhatsApp users.
It is alleged that the attacker attempted to lure targets into clicking on malicious links that redirected to external websites, resembling previously documented one-click phishing campaigns associated with NSO.
“We successfully disrupted NSO-linked social engineering attempts, after investigating user reports,” Meta says.
“They tried to trick people into clicking on malicious links to drive them to external websites outside of WhatsApp, similar to previously reported 1-click phishing campaigns linked to NSO.”
“We also caught them creating test accounts and groups on WhatsApp, which we took down.”
The tech giant listed the following domains as indicators of compromise for the attacks it detected, and promised :
- ikhwancast[.]com
- ghazacast[.]com
- fr24cast[.]com
Meta argues that this activity violates the 2025 court order that issued a permanent injunction against NSO Group, preventing the spyware vendor from targeting WhatsApp or its users.
Meta's announcement highlights the threat that NSO Group poses to national security, citing the spyware company’s CEO statement in court about seeking access vectors beyond WhatsApp, and reminding that the firm has been sanctioned in the U.S.
WhatsApp noted that end-to-end encryption effectively protects users’ messages and calls from Pegasus and other spyware, but called users to update their apps and operating systems for optimal protection.
To block commercial spyware attacks or strengthen defenses on mobile, Android users can also activate ‘Advanced Protection,’ while iOS users can enable ‘Lockdown Mode,’ both of which are specifically designed to reduce the attack surface and data exposure to spyware.
Test every layer before attackers do
Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.