Meta said it disrupted a new NSO Group-linked operation that used one-click phishing against WhatsApp users and has asked a U.S. federal court to hold the spyware vendor in contempt for allegedly violating a permanent injunction. According to WhatsApp, the activity relied on malicious external links, social engineering, and WhatsApp test accounts and groups used to stage the attacks, echoing tactics previously associated with Pegasus spyware campaigns. Meta also published malicious domains and related indicators tied to the infrastructure and said it removed the accounts involved.
The alleged targeting primarily affected fewer than 10 users in Jordan and Lebanon, and WhatsApp said it found no evidence of successful device compromise. The filing follows earlier court action over NSO’s 2019 campaign that exploited a WhatsApp VOIP stack buffer overflow to compromise about 1,400 users, a case that resulted in a jury award of more than $167 million in punitive damages plus compensatory damages and a court order barring NSO from targeting WhatsApp or its users. Meta said the new activity shows continued exploit development and spyware operations despite that injunction.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
5 events from the most recent confirmed update back to the earliest known activity.
After disrupting the alleged campaign, Meta asked a U.S. federal judge to hold NSO Group in contempt for allegedly violating the permanent injunction. Meta also published malicious domains and related indicators tied to the phishing infrastructure.
Meta said WhatsApp disrupted a new spear-phishing operation linked to NSO Group that used one-click phishing via malicious external links and WhatsApp test accounts and groups. The activity primarily targeted fewer than 10 users in Jordan and Lebanon, and WhatsApp said it found no evidence of successful device compromise.
Following the liability finding and damages verdict, a permanent injunction barred NSO Group from targeting WhatsApp or its users. Meta later alleged NSO violated this order through a new phishing operation.
In May 2025, a jury verdict ordered NSO Group to pay more than $167 million in punitive damages and $444,719 in compensatory damages over the 2019 Pegasus spyware campaign that compromised about 1,400 WhatsApp users.
A U.S. court found NSO Group liable for hacking WhatsApp users with Pegasus spyware. This ruling is described as having occurred in December 2024 and preceded a later permanent injunction.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
16 references tracked. Mallory keeps watching after this page renders.
schneier.com
Open sourcexakep.ru
Open sourcetheguardian.com
Open sourcehackread.com
Open sourcetechcrunch.com
Open sourcetherecord.media
Open sourcebleepingcomputer.com
Open sourcetheregister.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.