"We successfully disrupted NSO-linked social engineering attempts, after investigating user reports," Meta said, describing a fresh wave of spear‑phishing that WhatsApp detected and stopped.
WhatsApp and Meta: disruption of a social‑engineering campaign
Meta says its WhatsApp team investigated user reports of targeted social‑engineering attacks and intervened to stop campaigns it links to the NSO Group. According to Meta, attackers tried to trick people into clicking malicious links that redirected targets to websites outside WhatsApp — a pattern Meta calls similar to previously reported "one‑click" phishing campaigns associated with NSO.
In the course of its response, Meta says it removed accounts and groups the attackers created for testing and that it "took them down." The company published a short list of domains it associates with the activity as indicators of compromise.
NSO Group: sanctions, court rulings, and alleged persistence
The report ties the activity to the NSO Group, the Israeli commercial spyware vendor known for its Pegasus tool. The source material notes several legal and policy developments: NSO has been on the U.S. sanctioned entities list since November 2021, and Meta secured a 2025 permanent injunction against the firm in U.S. courts. That 2025 ruling also included a declaration of liability for 1,400 infections and an associated $167,000,000 fine.
Meta argues the newly reported activity violates that 2025 court order. The company also highlighted statements made in court by NSO's CEO about searching for access vectors beyond WhatsApp — a point Meta uses to frame the new activity as part of a continuing threat.
Technical indicators and described techniques
Meta published three domains it lists as indicators of compromise for the campaign:
- ikhwancast[.]com
- ghazacast[.]com
- fr24cast[.]com
Meta characterises the approach as social engineering that lures targets to click links leading to external websites. The company also reminds readers that NSO has previously used zero‑day vulnerabilities on multiple occasions — a claim included in the source material — and that earlier NSO‑linked activity took the form of one‑click phishing.
What this means for technologists, policymakers, and end users
Technologists and security teams: Monitor traffic for the listed domains and similar redirects to external sites, remove suspicious test accounts and groups, and correlate user reports that signal targeted social‑engineering. Meta's takedown activity demonstrates one defensive response, but the notice also underscores the need to watch for access‑vector shifts.
Policymakers and regulators: Meta explicitly frames the incidents as violations of the 2025 permanent injunction and points to NSO’s U.S. sanctions dating to November 2021. The company’s publicises of IoCs and references to the CEO’s court statement about other access vectors place enforcement of court orders and sanctions at the center of the policy response.
End users: WhatsApp repeated its standard protections: end‑to‑end encryption defends messages and calls from Pegasus and other spyware, but users should update apps and operating systems. Meta also advised Android users to enable "Advanced Protection" and iOS users to enable "Lockdown Mode" to reduce the attack surface against commercial spyware.
Security posture and a narrow, practical conclusion
The factual record Meta provides here is compact: user reports prompted an investigation, WhatsApp removed test accounts and groups, and three domains were named as indicators of compromise tied to social‑engineering links that redirected outside the app. Meta places this activity against the backdrop of NSO’s sanctions and the 2025 court ruling that included a permanent injunction and a $167,000,000 fine for 1,400 declared infections.
That combination — public enforcement actions, sanctions, and freshly published technical indicators — frames the immediate questions: will legal penalties and public exposure curtail the behaviour Meta describes, or will the firm seek alternate access vectors as its CEO reportedly indicated in court? For now, Meta’s notice is both a technical alert and a legal claim; users are left with a concrete set of IoCs and two practical steps: update software and enable platform protections designed to limit spyware exposure.
