WhatsApp Disrupts NSO-Linked Cyberattack Targeting Users with Pegasus Spyware
Cybersecurity NewsArchived Jun 08, 2026✓ Full text saved
Meta’s WhatsApp has identified and disrupted a fresh wave of spear-phishing campaigns linked to NSO Group, the Israeli spyware firm blacklisted by the U.S. government, and is now asking a federal court to hold the company in contempt for violating a permanent injunction issued just last year. In May 2025, a U.S. federal jury ordered […] The post WhatsApp Disrupts NSO-Linked Cyberattack Targeting Users with Pegasus Spyware appeared first on Cyber Security News .
Full text archived locally
✦ AI Summary· Claude Sonnet
HomeCyber Security
WhatsApp Disrupts NSO-Linked Cyberattack Targeting Users with Pegasus Spyware
By Guru Baran
June 8, 2026
Meta’s WhatsApp has identified and disrupted a fresh wave of spear-phishing campaigns linked to NSO Group, the Israeli spyware firm blacklisted by the U.S. government, and is now asking a federal court to hold the company in contempt for violating a permanent injunction issued just last year.
In May 2025, a U.S. federal jury ordered NSO Group to pay $167,254,000 in punitive damages and $444,719 in compensatory damages to WhatsApp following a 2019 campaign that compromised approximately 1,400 users.
That case which began when NSO exploited a buffer overflow vulnerability in WhatsApp’s VOIP stack to silently deliver Pegasus spyware resulted in a permanent injunction barring NSO from ever targeting WhatsApp and its users again.
NSO’s history of defiance is well-documented; court filings revealed the firm continued developing exploits including malware vectors codenamed “Erised” and “Heaven” even after the original lawsuit was filed.
WhatsApp’s latest investigation, triggered by user reports, uncovered NSO-linked accounts attempting to lure users into clicking on malicious external links, a classic 1-click phishing technique previously attributed to NSO Group.
The campaign primarily targeted fewer than 10 users in Jordan and Lebanon, according to a Meta spokesperson, who confirmed no signs of successful device compromise were detected. WhatsApp also identified and took down test accounts and groups created by threat actors to stage the attacks.
WhatsApp Disrupts NSO Attack
WhatsApp is now petitioning the U.S. federal court to hold NSO in contempt of the permanent injunction, arguing that the renewed targeting activity constitutes a direct and willful violation of a binding court order.
NSO’s own CEO has confirmed in court that the company actively seeks “vectors, or ways to access the phone” beyond WhatsApp — including browsers, operating systems, and third-party applications illustrating the persistent and expansive nature of its surveillance-for-hire operations.
WhatsApp is not fighting this battle alone. In May 2026, 12 civil rights organizations filed amicus briefs in support of the permanent injunction against NSO’s appeal.
WhatsApp has also made a significant financial contribution to the Spyware Accountability Initiative (SAI), a fund supporting forensic research organizations, advocacy groups, and user-support networks globally.
Citizen Lab, a key technical partner since 2019, previously leveraged its spyware research to trigger an Apple security update protecting over a billion devices.
Threat Indicators (IOCs)
The following malicious domains have been confirmed as linked to NSO-associated phishing infrastructure. Users and defenders are urged to scan across all platforms — SMS, email, and messaging apps:
Indicator Type Value
Malicious Domain hxxps://ikhwancast[.]com
Malicious Domain hxxps://ghazacast[.]com
Malicious Domain hxxps://fr24cast[.]com
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Tags
cyber security
cyber security news
Copy URL
Linkedin
Twitter
ReddIt
Telegram
Guru Baranhttps://cybersecuritynews.com
Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments.
Trending News
Critical WP Maps Pro Vulnerability Allow Attackers to Create Administrator Account
Kali365 PhaaS Operation Expands Beyond Microsoft 365 to Target Okta and MAX Messenger
Windows Search URI Handler Flaw Leaks NTLMv2 Hashes to Attacker-Controlled Servers
New Magecart Attack Turns Stripe into a Malware Command Server
TP-Link Router Vulnerability Allows Attackers to Execute Arbitrary System Commands
Latest News
Cyber Security
OWASP Releases AI Security Report to Empower Security Professionals with New Tools
Cyber Security News
Internet Explorer WebBrowser Control Attack Chain Turns Clicks Into RCE
Cyber Security News
Multiple VMware Stored XSS Vulnerabilities Allow Attackers to Inject Malicious Scripts
Cyber Security News
UniFi OS Server Critical RCE Chain Allows Root Access Without Credentials
Cyber Security News
Critical Redis RCE Vulnerability Enable Attackers to Gain Complete Control to Host Server