WhatsApp Disrupts New NSO Spyware Phishing Campaign Targeting High-Risk Users
Meta Says NSO-Linked Attackers Used Social Engineering Tactics Despite Court Injunction
WhatsApp has revealed that it recently disrupted a new phishing campaign allegedly linked to the NSO Group, the controversial spyware company behind the Pegasus surveillance platform. The discovery suggests that commercial spyware operators continue to pursue new attack methods despite legal restrictions and growing international scrutiny.
According to Meta, attackers attempted to trick selected targets into clicking malicious links that redirected them to external websites. The campaign relied on social engineering rather than software vulnerabilities, highlighting how threat actors increasingly combine phishing techniques with advanced surveillance tools.
What Happened?
Meta launched an investigation after receiving reports from users who encountered suspicious messages and phishing attempts on WhatsApp.
The company says the attackers tried to lure victims into clicking malicious links that led to websites outside the WhatsApp platform. These tactics closely resemble previous one-click phishing operations that security researchers have associated with NSO Group activity.
During the investigation, WhatsApp also identified and removed test accounts and groups that attackers allegedly created to prepare and coordinate the campaign.
Although Meta did not disclose how many users were targeted, the company described the activity as part of a broader effort to monitor and disrupt commercial spyware operations.
A Continued Battle Against Pegasus Spyware
The NSO Group is widely known for Pegasus, one of the world's most sophisticated spyware platforms. Governments and intelligence agencies have used the tool to conduct surveillance operations against individuals considered high-value targets.
Over the years, Pegasus infections have reportedly affected journalists, political figures, activists, academics, and human rights defenders across multiple countries.
Meta has spent years pursuing legal action against NSO Group. In 2025, the company secured a major court victory that resulted in a permanent injunction prohibiting NSO from targeting WhatsApp users. The ruling also held the company liable for approximately 1,400 previous infections and imposed substantial financial penalties.
However, Meta now argues that recent activity demonstrates that the threat has not disappeared.
Indicators of Compromise Identified
As part of its investigation, Meta disclosed several domains allegedly connected to the phishing campaign.
The identified indicators include:
- ikhwancast[.]com
- ghazacast[.]com
- fr24cast[.]com
Security teams can use these indicators to review network logs, threat intelligence feeds, and endpoint telemetry for signs of potential exposure.
Organizations that support journalists, government officials, executives, or other high-profile individuals should pay particular attention to suspicious communications that reference external websites or unexpected requests.
Why This Attack Matters
This incident highlights an important shift in the spyware landscape. Advanced surveillance vendors do not always rely on zero-day vulnerabilities to gain access to targets.
Instead, attackers increasingly use social engineering to convince victims to take actions that bypass technical security controls. A carefully crafted phishing message can sometimes achieve the same objective as an expensive software exploit.
As a result, organizations must treat phishing awareness as a critical defense layer, especially for employees who may face targeted surveillance attempts.
The campaign also demonstrates that commercial spyware remains a significant cybersecurity concern despite regulatory pressure, sanctions, and legal challenges.
How Users Can Protect Themselves
Meta emphasized that WhatsApp's end-to-end encryption continues to protect messages and calls from interception. However, encryption alone cannot prevent users from visiting malicious websites or interacting with phishing content.
Users can strengthen their defenses by:
- Keeping WhatsApp updated to the latest version
- Installing operating system security updates promptly
- Avoiding unexpected links from unknown contacts
- Verifying suspicious messages through trusted channels
- Enabling additional device security protections
Android users can activate Advanced Protection features designed to reduce exposure to sophisticated threats. Meanwhile, Apple users can enable Lockdown Mode, which restricts several device functions that attackers often abuse during targeted surveillance campaigns.
The Bigger Picture
The latest disruption underscores a broader reality facing the cybersecurity industry. Commercial spyware vendors continue to evolve their tactics, even as governments, regulators, and technology companies increase scrutiny.
While technical exploits remain powerful attack tools, social engineering continues to deliver results for threat actors. Therefore, organizations must combine strong technical controls with user awareness, threat intelligence, and continuous monitoring.
As spyware operators expand beyond traditional attack methods, security teams should expect more campaigns that blend phishing techniques with advanced surveillance capabilities. Staying vigilant remains one of the most effective defenses against these evolving threats.