Emerging ThreatsMalware & Ransomware

Meta Accuses NSO Group of Breaching WhatsApp Injunction

Analyst 207||Source: TheRegister
Smartphone with blank screen on a neutral table in a quiet room.

"We successfully disrupted NSO-linked social engineering attempts after investigating user reports," Meta wrote — a terse declaration that has reopened a legal and technical fight between the messaging company and the Israeli spyware vendor NSO Group.

“NSO-linked social engineering attempts,” according to Meta

Meta has asked a federal judge to hold NSO Group in contempt after alleging the company targeted WhatsApp users again, despite a permanent injunction ordering it to stop. In a blog post on Monday, Meta said it had disrupted activity it described as "NSO-linked social engineering attempts" following user reports. The company said the attempts tried to trick people into clicking malicious links that redirected them to websites outside WhatsApp, calling the technique similar to "previously reported 1-click phishing campaigns linked to NSO."

The tactics Meta says were used: links, accounts and groups

WhatsApp described three distinct elements of the activity it linked to NSO: lure messages carrying malicious links that sent targets to external websites; the creation of test accounts on WhatsApp; and the formation of groups on the messaging platform. Meta said it "successfully disrupted" those activities after investigation. Beyond that summary, the company provided few technical details — it did not say when the activity occurred, how many users may have been targeted, whether any compromises were successful, or how it attributed the operation to NSO.

Indicators published: three domains named

WhatsApp published a handful of domains it linked to the campaign, naming ikhwancast[.]com, ghazacast[.]com, and fr24cast[.]com. The company said it was releasing indicators to help organizations identify related activity. Meta framed its disclosure with broader language about national-security implications, writing that "When a malicious company on the US government's Entity List continues to defy US courts, existing restrictions must remain firmly in place," and adding that easing them would "undermine US national security and put American companies and billions of people worldwide who depend on secure communications at risk."

Court history cited: December 2024 finding, May 2025 jury award, permanent injunction

Meta's move comes against a recent legal backdrop. A U.S. court found NSO liable in December 2024 for hacking WhatsApp users via the Pegasus spyware, according to Meta's post. In May 2025 a jury awarded Meta roughly $168 million in damages; a judge later cut that award to $4 million while issuing a permanent injunction barring NSO from targeting WhatsApp or its users. Meta framed its contempt filing as a response to that injunction, saying "Last year, WhatsApp made history by securing a landmark verdict and permanent injunction barring NSO Group ... from targeting WhatsApp and its users ever again," and asserting that "Today, we're asking the court to hold them in contempt of that order."

What this means for technologists, policymakers, and end users

  • Technologists and security teams: WhatsApp's publication of domains and "indicators" gives defenders concrete artifacts to incorporate into detection and hunting efforts. Meta also reported disruption of the activity after investigation, indicating a combination of platform controls and incident response was used.
  • Policymakers and regulators: Meta's post invoked the US government's Entity List and tied enforcement of restrictions to national-security concerns, arguing that easing restrictions would "undermine US national security." That framing places the incident in the space where export-control and sanctions policy conversations intersect with platform security enforcement.
  • End users and organizations: Meta said the campaign relied on social engineering to push targets to external websites via malicious links. WhatsApp's release of domains and indicators is expressly aimed at helping organizations identify related activity and respond.

Meta did not provide an attribution playbook in the post — it offered summary descriptions, artifacts, and a legal filing — and did not answer follow-up questions from The Register. The company asked a federal judge to treat the activity as contempt of the permanent injunction that followed the December 2024 finding and the May 2025 jury award. If Meta's allegations are accurate, the episode suggests that a court loss was not enough to persuade a spyware vendor to stop targeting WhatsApp and its users.

Original story: https://www.theregister.com/security/2026/06/08/nso_group_back_in_metas_crosshairs_after_alleged_whatsapp_targeting/5252105

Emerging ThreatsIsraelMetaSocial EngineeringSpywareWhatsappSurveillance TechnologyNSO GroupCyber Litigation
Related Intelligence

Continue Reading

Dimly-lit data center with rows of computer workstations and server racks.

Open Source Faces Hard Fork Amid AI-Fueled Security Crisis

The open source community is facing a daunting security crisis fueled by AI, giving rise to a new category of threat dubbed "Mythos" - a complex chain of low-level issues that can be combined to create devastating attacks. This emerging threat is not just a single bug or false positive, but a game-changing phenomenon that demands immediate attention.

Analyst 207
Security analysts work at computer stations in a dimly lit operations center.

AI Phishing Overwhelms SOCs, Exposing Gaps in Alert Triage

AI has transformed phishing from a numbers game into a volume machine, allowing attackers to churn out convincing lures in minutes and flood security teams with a tidal wave of alerts to sift through. This overwhelming surge is exposing gaps in alert triage, putting Tier 1 analysts to the test.

Analyst 207
Network equipment and router setup in a data center or network operations room.

Check Point Exposes VPN Zero-Day Link to Qilin Ransomware Gang

A critical VPN vulnerability, CVE-2026-50751, has been exploited in attacks linked to the notorious Qilin ransomware gang, affecting a handful of organizations worldwide. Check Point has released security updates to patch this authentication bypass flaw in its legacy Remote Access and Mobile Access deployments.

Analyst 207
University office with computer on desk, blurred to highlight background.

Oxford University Exposes Data Breach After Career Platform Hack

The University of Oxford recently alerted users to a data breach on its CareerConnect platform, which occurred on May 28 when attackers gained access to sensitive information, including names, email addresses, and encrypted passwords. To protect users, locally set passwords have been invalidated and affected users will be prompted to reset their passwords upon next login.

Analyst 207