"They tried to trick people into clicking on malicious links to drive them to external websites outside of WhatsApp, similar to previously reported one-click phishing campaigns linked to NSO," WhatsApp said on June 8, describing what it called a targeted effort to lure users away from the platform and toward spyware operators.
WhatsApp's contempt motion to a US court
WhatsApp has asked a US court to hold NSO Group in contempt, alleging the blacklisted spyware firm violated a permanent injunction that bans it from targeting users. The messaging giant said it "successfully disrupted" social engineering attempts after investigating user complaints and asked the court to send a clear message that the injunction must be enforced. WhatsApp warned that "when a malicious company on the US government’s Entity List continues to defy US courts, existing restrictions must remain firmly in place," adding that "easing them would undermine US national security and put American companies and billions of people worldwide who depend on secure communications at risk."
Technical details WhatsApp disclosed
According to WhatsApp, the activity it disrupted resembled "one-click phishing" campaigns previously linked to NSO Group. The company said attackers tried to trick people into clicking malicious links that redirected them to external websites outside of WhatsApp. In addition to link-based lures, WhatsApp reported that it discovered test accounts and groups on its service that it removed. The company published three domains it says were used in the alleged phishing campaign so that other users can check whether they were targeted. WhatsApp also cautioned that attacks "might come via email, text message, WhatsApp message 'or something else.'"
Legal and regulatory backdrop: damages, injunctions, and the Entity List
Last year, a court ordered NSO Group to pay damages of over $167 million after finding the company hacked into about 1,400 WhatsApp users' devices. That award capped a six-year case that began after Meta engineers detected attempts by NSO to use its spyware tool, Pegasus, to target WhatsApp users including human rights activists, journalists and diplomats. In 2021, NSO Group was placed on the US Commerce Department’s Entity List, restricting its ability to buy components from American companies. NSO Group is currently appealing the permanent injunction it faces, and WhatsApp is seeking contempt findings as part of ongoing enforcement efforts.
NSO Group's posture and civil society response
NSO Group remains defiant and is pursuing an appeal of the permanent injunction against it. Last month, a group of 12 civil rights organizations filed amicus briefs to oppose NSO's appeal. Separately, WhatsApp said it had made a "significant contribution" to the Spyware Accountability Initiative, a fund dedicated to helping civil society organizations respond to the threat of commercial spyware.
How technologists, policymakers, and civil society are responding
- Technologists and security teams: Security teams will use the three domains published by WhatsApp to check for signs of targeting and to correlate other potential indicators of compromise tied to the reported one-click phishing tactics. WhatsApp's removal of test accounts and groups also signals a focus on platform hygiene and rapid takedown of attacker infrastructure.
- Policymakers and regulators: Regulators face a live enforcement question—whether courts will hold a blacklisted firm in contempt and whether existing export and trade restrictions tied to the Entity List should be maintained. WhatsApp framed this as a national security concern, arguing that easing restrictions would endanger American companies and billions of users globally.
- Civil society organizations: Civil rights groups have already joined the legal process; the Spyware Accountability Initiative now counts WhatsApp among contributors to a fund intended to support organizations fighting spyware. The filing of amicus briefs demonstrates continued legal and advocacy engagement alongside technical defenses.
The record in this episode is crisp: WhatsApp says it disrupted link-based social engineering tied to NSO, removed accounts and groups it attributed to the operator, published three domains for public checking, and has asked a US court to enforce the injunction against a firm that paid over $167 million in damages last year for hacking roughly 1,400 users. NSO is appealing the injunction, civil rights groups have filed to block that appeal, and WhatsApp has shifted resources into a spyware-fighting fund. The immediate question on the table is procedural but consequential — will the court find contempt and preserve the measures WhatsApp says are necessary to protect secure communications?
Source: https://www.infosecurity-magazine.com/news/whatsapp-nso-group-spearphishing/
