"They tried to trick people into clicking on malicious links to drive them to external websites outside of WhatsApp, similar to previously reported 1-click phishing campaigns linked to NSO," Meta said.
Meta's detection and the contempt filing
Meta announced on Monday that it detected and blocked spear-phishing attempts it attributes to NSO Group and has filed a federal court contempt order against the company. According to Meta, the contempt filing alleges NSO violated a permanent injunction that barred it from targeting WhatsApp and WhatsApp users. Meta also said it identified and removed test accounts and groups on WhatsApp that were linked to the activity.
Spear-phishing technique and the malicious domains
- Meta described the operation as a spear-phishing campaign that used malicious links to drive targets to websites outside of WhatsApp, aligning the activity with previously reported "1-click" phishing tactics linked to NSO.
- Meta published a short list of domains associated with the activity. They are:
- fr24cast[.]com
- ghazacast[.]com
- ikhwancast[.]com
- Meta said the company removed the test accounts and groups it tied to this activity as part of its response.
NSO Group's recent legal and regulatory context
The announcement comes roughly a year after a U.S. court awarded approximately $168 million in monetary damages against NSO Group, finding the company violated U.S. laws by exploiting WhatsApp servers to deploy Pegasus spyware targeting over 1,400 people globally. Meta also noted that NSO was added to a U.S. Commerce Department blocklist in 2021 for engaging in activities "contrary to the national security or foreign policy interests of the United States."
WhatsApp protections and Meta's recommended hardening steps
Meta reiterated that WhatsApp communications remain end-to-end encrypted by default: "As always, WhatsApp users' personal messages and calls remain protected with default end-to-end encryption," the company said. Alongside technical blocking and the legal filing, Meta advised users at elevated risk to enable WhatsApp's strict account settings. Meta's help document lists the following controls as part of that lockdown-style feature:
- Two-step verification is turned on.
- Link previews are turned off.
- Last seen and online, profile photo, About details, and profile links are locked to contacts only or to a pre-established list of people.
- Only known contacts or a pre-established list of people can be added to groups.
Meta described strict account settings as "an optional, lockdown-style security feature that, when enabled, reduces your vulnerability to cyber attack by limiting functionality."
What this means for technologists, policymakers, and end users
- Technologists and security teams: Meta's detection and domain list provide immediate indicators for defensive controls and monitoring; test accounts and groups tied to the activity were removed from WhatsApp, signaling a blend of platform-based mitigation and user guidance.
- Policymakers and regulators: The contempt filing follows a sequence of legal actions and regulatory measures — including the roughly $168 million judgment and the 2021 Commerce Department blocklist — underscoring an ongoing legal pathway being pursued through U.S. courts and administrative lists.
- End users and at-risk targets: Meta advises updating apps and devices, reporting suspicious activity, and enabling strict account settings — practical steps Meta says reduce the attack surface against "sophisticated cyber attacks."
Meta has combined technical takedowns with a legal escalation: blocking domains and removing accounts on WhatsApp while asking a federal court to enforce an injunction. The immediate result is a set of URLs and account artifacts the company says it blocked and a new court filing that will determine whether the permanent injunction is enforced against further activity. How the court responds to the contempt motion will be the next concrete milestone in a sequence that already includes a multi-million-dollar judgment and an administrative blocklisting in 2021.
