A federal court told NSO Group: stop targeting WhatsApp users. Ever. We mean it.
Meta says NSO Group’s response was to create test accounts on WhatsApp, set up phishing infrastructure, and run social engineering campaigns against users. Meta noticed. Meta is not happy.
On June 8, 2026, WhatsApp announced it had disrupted new NSO-linked attack attempts — and is now asking a US federal court to hold NSO in contempt.
TL;DR
- In October-November 2025, a US court permanently banned NSO Group from targeting WhatsApp users
- By June 2026, NSO was allegedly linked to new social engineering attempts, fake accounts, and malicious domains
- WhatsApp disrupted the attacks and is filing a contempt motion
- Three malicious domains identified:
ikhwancast[.]com,ghazacast[.]com,fr24cast[.]com- NSO’s CEO confirmed in court that the company seeks new “vectors” beyond WhatsApp — browsers, operating systems, and other apps
- WhatsApp is sharing threat indicators publicly so anyone can check if they were targeted
Why This Matters
NSO Group makes Pegasus — arguably one of the most powerful commercial spyware products on the planet. Unlike random cybercriminals, NSO says it sells only to government intelligence and law enforcement agencies. Pegasus has reportedly been used to target journalists, human rights defenders, dissidents, and diplomats.
If Meta’s allegations are proven, this is not just a legal technicality. It would signal that commercial spyware vendors can treat court orders as another operational constraint — and that the systems we rely on for private communication remain attractive targets regardless of what any court says.
If you use WhatsApp — and 3 billion people do — this is your fight too.
The Story So Far: Six Years of Legal War
2019 — The Original Attack
WhatsApp discovered NSO Group had exploited a critical zero-click vulnerability in WhatsApp to infect approximately 1,400 devices with Pegasus spyware. The targets were not random: journalists, activists, lawyers, and government officials across dozens of countries.
Meta (then Facebook) sued NSO Group in October 2019 in the US District Court for the Northern District of California. The lawsuit alleged violations of the Computer Fraud and Abuse Act (CFAA) — the primary US federal law against unauthorized computer access.
NSO’s defense was essentially: we just make the tool, governments pull the trigger. Courts weren’t buying it.
December 2024 — Liability Established
After years of discovery battles — including evidentiary sanctions against NSO for refusing to comply with discovery orders — the court found NSO Group liable under the CFAA for using WhatsApp servers to deliver Pegasus. This was a landmark ruling: the court held a commercial spyware vendor directly accountable for its own use of platform infrastructure, not merely for selling a tool.
May 2025 — The $168 Million Verdict
A jury awarded Meta approximately $168 million in damages. The internet celebrated. NSO’s lawyers got to work.
October-November 2025 — Reduced Damages, Permanent Injunction
Judge Phyllis Hamilton reduced the punitive damages to about $4.0 million, leaving a final judgment of $4,447,190 including compensatory damages — a fraction of the jury award. For a company that reportedly charges millions for spyware capabilities, this was more a parking ticket than a deterrent.
But the judge also granted and entered a permanent injunction: NSO Group is permanently barred from targeting WhatsApp and its users again.
Permanent. Ever. We mean it.
June 2026 — Meta Says NSO Did It Anyway
Less than eight months after receiving a court order telling them to stop, WhatsApp detected new NSO-linked activity.
What WhatsApp Found
After investigating user reports, WhatsApp’s security team identified:
1. Spear-phishing campaigns Attackers attempted to trick users into clicking malicious links that redirected them to external websites. Meta described the activity as similar to previously reported NSO-linked “1-click” campaigns. The goal is to move the target into an attacker-controlled exploit path; Meta has not publicly said that every person who clicked was compromised.
2. Fake infrastructure on WhatsApp itself NSO (or operators acting on their behalf) created test accounts and groups directly on WhatsApp to build and test their attack infrastructure. WhatsApp detected and removed these accounts.
3. Three malicious domains The following domains were identified as part of the infrastructure. They’re defanged below — don’t visit them:
| Domain | Status |
|---|---|
ikhwancast[.]com | Confirmed malicious |
ghazacast[.]com | Confirmed malicious |
fr24cast[.]com | Confirmed malicious |
The naming pattern is worth noting: ikhwan can refer to “brotherhood” in Arabic, ghaza evokes Gaza, and fr24 resembles France 24, the news channel. That suggests media or political bait, but Meta has not publicly identified the intended victim themes.
”We’re Not Stopping at WhatsApp”
Perhaps the most alarming detail came not from the new attacks — but from NSO’s own CEO, who confirmed during court proceedings that the company looks for “vectors, or ways to access the phone” beyond WhatsApp.
Vectors include: browsers, operating systems, and other applications.
Translation: WhatsApp is just one of many targets. NSO’s business model requires continuous exploitation research across the entire device stack. A court order banning them from one app doesn’t change their incentives — it just redirects their engineers.
The Contempt Motion — What It Means Legally
A contempt of court finding is one of the few mechanisms courts have to enforce injunctions against defiant parties. If granted, the court can:
- Impose fines (civil contempt) — scaled to deter the behavior
- Coercive sanctions — escalating penalties until compliance
- In extreme cases, criminal contempt referrals
For a company already on the US government’s Entity List (blacklisted for activities contrary to national security or foreign policy interests), the contempt motion adds another layer of legal pressure. The Entity List restricts exports, reexports, and transfers of items subject to US export controls without BIS authorization, which limits NSO’s access to US-controlled technology.
The contempt motion won’t shut NSO down. But it keeps the legal screws turning.
Industry Response: Not Just Meta’s Fight
Last month, 12 civil rights organizations filed amicus briefs supporting Meta’s position against NSO’s appeal of the permanent injunction. The coalition included security researchers, privacy advocates, and digital rights experts.
WhatsApp is also funding the Spyware Accountability Initiative and — importantly — is sharing threat indicators publicly in its June 2026 spyware update.
For most individuals, that means watching for the published domains in suspicious messages and getting expert help if they believe they were targeted. For organizations, it means security teams can search DNS, proxy, email, and endpoint telemetry for the same indicators instead of waiting for platform-specific alerts.
If you’re a journalist, activist, lawyer, or work in sensitive government/NGO roles, this matters directly.
What You Can Do Now
For individuals:
- Update WhatsApp and your mobile OS immediately — WhatsApp’s current guidance is to keep both app and device software current
- Check for indicators — WhatsApp published IoCs (Indicators of Compromise) in its June 2026 spyware update
- Be suspicious of unsolicited links — even in contexts that look legitimate (news sites, “important updates”)
- Enable Strict Account Settings if you are high-risk — Settings → Privacy → Advanced → Strict Account Settings
For organizations:
- Block the identified domains at your perimeter:
ikhwancast.com,ghazacast.com,fr24cast.com - Treat mobile devices as high-value targets — Pegasus and similar tools operate at OS level, below MDM visibility
- Brief high-risk staff — journalists, lawyers, executives communicating on sensitive matters should understand that zero-click and 1-click spyware exists
- Consider endpoint telemetry for mobile — tools like iMazing or Amnesty Tech’s MVT (Mobile Verification Toolkit) can detect indicators of Pegasus infection
The Bigger Picture
NSO Group’s behavior is a preview of where commercial spyware is heading. The economics are simple: governments will pay millions for the ability to silently compromise any device. As long as that market exists, vendors will find ways to serve it — court orders or not.
The real question is whether legal systems can move fast enough to matter. Six years of litigation, a landmark verdict, a permanent injunction — and, according to Meta, NSO-linked activity was back within months.
The answer to commercial spyware isn’t just better lawyers. It’s better security research, better detection tooling, and platforms that take their users’ security seriously enough to actually fight back.
Meta’s fight against NSO may help constrain commercial spyware. Whether it changes NSO’s behavior in practice remains to be seen.
Related Posts
- State-Sponsored Threat Actors 2026: Who They Are and What They Do — NSO Group’s clients are the same state actors covered here — context on how commercial spyware fits into the broader nation-state threat landscape
Sources
- Fighting Spyware: An Update From WhatsApp — Meta Newsroom
- Final Judgment — WhatsApp LLC and Meta Platforms, Inc. v. NSO Group Technologies Limited and Q Cyber Technologies Limited
- WhatsApp Asks Court to Hold NSO Group in Contempt After New Attacks — TechBuzz
- NSO Group back in Meta’s crosshairs after alleged WhatsApp targeting — The Register
- US Court Blocks Spyware Vendor NSO Group from Targeting WhatsApp Users — Cyber Insider
- WhatsApp hack: Meta wins payout over NSO Group spyware — Malwarebytes Blog
- NSO Group Liable Under CFAA for Hacking WhatsApp Servers — EPIC
- Meta to take legal action against Israeli spyware firm NSO — Reuters via Yahoo News
- Entity List — Bureau of Industry and Security
- WhatsApp Strict Account Settings — Meta Newsroom