Meta’s WhatsApp said it will ask a U.S. court to hold NSO Group in contempt after alleging the spyware vendor again used WhatsApp infrastructure to target users with Pegasus spyware, despite a prior court order barring such activity. Citizen Lab said the new allegations point to continued targeted surveillance through messaging platforms, with researchers arguing the reported conduct strengthens the case for ongoing sanctions and further legal consequences against NSO.
The allegations fit a broader pattern in which Pegasus and similar mobile spyware have been delivered through zero-click chains in apps such as WhatsApp and iMessage, often leaving only limited forensic traces. Prior reporting and technical analysis have tied Pegasus to exploits including CVE-2019-3568, while later research highlighted newer WhatsApp- and Apple-related exploit chains, artifacts such as CASCADEFAIL, and the need for high-risk organizations to rely on mobile telemetry, network monitoring, forensic review, and protections such as Apple Lockdown Mode to detect or blunt sophisticated mobile intrusions.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
7 events from the most recent confirmed update back to the earliest known activity.
WhatsApp said NSO Group had again used WhatsApp to lure targets into downloading Pegasus spyware, conduct that Meta said violated a U.S. court order issued the previous year. Meta said it planned to ask a U.S. court to hold NSO in contempt over the alleged renewed abuse.
Codeby published an analysis of zero-click mobile exploitation chains involving Pegasus and Predator, including FORCEDENTRY, CASCADEFAIL, CVE-2019-3568, and the reported 2025 WhatsApp/ImageIO chain. The article argued that such attacks often evade enterprise EDR and recommended MDM telemetry, network analytics, and scheduled forensic analysis for high-risk devices.
A Codeby article reported on a 2025 Pegasus zero-click chain that allegedly combined WhatsApp flaw CVE-2025-55177 with Apple ImageIO flaw CVE-2025-43300 and said it had been exploited in the wild against targeted victims. The article framed the chain as part of broader analysis of Pegasus and Predator mobile exploitation techniques.
Bill Marczak published an analysis examining whether public evidence supported attribution of TRIANGULATION to the NSA and whether the "BackupAgent" artifact was specific enough to identify infections. The article compared the campaign with NSO Group and QuaDream operations and emphasized monitoring mobile traffic and messaging-app attack surfaces.
In June 2023, the TRIANGULATION iPhone spyware campaign was disclosed after the Russian FSB alleged NSA compromise of Apple devices in Russia and Kaspersky published forensic evidence of a real intrusion campaign. Kaspersky identified suspicious exfiltration from management devices and linked compromise timing to a process labeled "BackupAgent," which became a key forensic indicator.
Bill Marczak published a technical critique of the forensic claims around the alleged compromise of Jeff Bezos' iPhone after a WhatsApp video attachment reportedly sent by Mohammed bin Salman. He called for verification of the video file, decryption of the WhatsApp downloader artifact, and clarification of how outbound traffic spikes were derived from iOS forensic data.
Chronicle published an analysis arguing that GOSSIPGIRL is a collaborative "Supra Threat Actor" umbrella rather than a single actor, tying together platforms including Flame, Stuxnet, Duqu, and Equation. The piece also claimed discoveries including Stuxshop links, Duqu 1.5, and Flame 2.0 as a continuation beyond Flame's supposed shutdown.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
5 references tracked. Mallory keeps watching after this page renders.
citizenlab.ca
Open sourcecodeby.net
Open sourcemedium.com
Open sourcemedium.com
Open sourcemedium.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.