"We successfully disrupted NSO-linked social engineering attempts, after investigating user reports," Meta said in a blog post, announcing a new legal escalation against the Israeli spyware maker NSO Group.
Meta’s disruption of NSO-linked spearphishing
Meta said Monday it detected and disrupted a spearphishing campaign it links to NSO Group even though a U.S. court has issued a permanent injunction barring the company from targeting WhatsApp users. According to Meta, the campaign used social engineering to try to trick people into clicking malicious links that would direct them to external websites outside of WhatsApp — tactics the company said resembled previously reported "1‑click" phishing operations associated with NSO.
Meta added that its teams discovered what it described as test accounts and groups set up on WhatsApp tied to the campaign and that those accounts and groups were taken down. The company said the pattern of activity resembled spyware infections that affected journalists and activists in Jordan from 2019 to 2023.
The WhatsApp injunction and $168 million judgment
Meta reminded readers that it won a civil case last year against NSO Group that produced a permanent injunction barring NSO from targeting WhatsApp users and resulted in $168 million in damages. NSO Group has been appealing that ruling. Meta says the recent activity amounts to defiance of the injunction and has filed a contempt-of-court complaint as a result.
NSO’s placement on the U.S. Entity List and the public debate
Commenting on the episode, Meta argued that continued activity by a company on the U.S. government's Entity List undercuts any rationale for easing restrictions. "When a malicious company on the US government’s Entity List continues to defy US courts, existing restrictions must remain firmly in place," Meta wrote, adding that loosening those restrictions would, in its view, "undermine US national security and put American companies and billions of people worldwide who depend on secure communications at risk." The source material also notes that NSO has fought to be removed from the Entity List since its designation in 2021.
Third-party researcher response: John Scott‑Railton and Citizen Lab
John Scott‑Railton, senior researcher at the University of Toronto’s Citizen Lab, commented on social media that NSO’s recent actions reinforce the case for keeping the company on the U.S. Entity List. "NSO’s own actions make the strongest argument for why they should stay on the Entity list," he wrote. "And reaffirm that the decision to put them there was the right one," the source reports.
Congressional interest, company ties, and unanswered outreach
The reporting notes that lawmakers have sought information about the federal government's prospective use of NSO Group technology and other kinds of spyware, even as the company remains blacklisted. That interest has occurred, the source says, in the context of reports about close ties between NSO Group's new executive chairman and President Donald Trump. NSO Group did not respond to requests for comment about Meta’s accusations, the reporting adds.
What this means for journalists and activists, policymakers, and end users
- Journalists and activists: The campaign Meta describes echoes earlier infections in Jordan from 2019 to 2023, suggesting that groups previously targeted could see similar tradecraft reappear and that notification and remediation by platform defenders remain relevant.
- Policymakers and regulators: Meta and a prominent academic researcher framed the episode as support for maintaining the U.S. Entity List designation and current export and access restrictions; lawmakers have already sought information on potential government use of the technology, according to the report.
- End users and enterprise defenders: Meta’s account centers on the detection and takedown of test accounts, groups, and malicious links. For defenders, those are the observable signals Meta cited as evidence that the campaign was underway and that platform moderation and investigative work interrupted it.
Meta has translated the disruption into a legal step — a contempt-of-court filing — asserting that the activity violated a court order tied to a $168 million judgment. The reporting leaves that filing as the immediate tangible escalation; NSO Group's response was not available at the time of publication. The episode ties technical signals on a messaging platform to a legal and policy debate over how to constrain companies that supply spyware tools, and it raises a concrete question for courts and regulators: if a banned actor is alleged to resume banned behavior, what enforcement measures should follow?
Original reporting: https://cyberscoop.com/meta-contempt-complaint-nso-group-spyware/
