WhatsApp says it has disrupted new spyware related activity linked to NSO Group, the Israeli surveillance company behind Pegasus, and is now asking a US federal court to hold the firm in contempt of a permanent injunction.
The new action follows a major legal win for WhatsApp and parent company Meta in their long running case against NSO. The court had already barred NSO from targeting WhatsApp or its users after finding that the company violated federal and state hacking laws in connection with a 2019 attack on roughly 1,400 users.
This time, WhatsApp says the activity did not rely on a unknown WhatsApp vulnerability. The company said it investigated user reports and found spear phishing efforts that tried to push people toward malicious external websites. In plain terms, the aim was to get a person to click a link outside WhatsApp, a method similar to earlier one click campaigns associated with NSO.
In a press release published today, WhatsApp said it also found and removed test accounts and groups created on its platform. The company has published three domains it says were used in the activity so researchers, companies and users can check whether they were contacted through WhatsApp, text message, email or another channel.
The domains named by WhatsApp are:
hxxps://fr24cast.com
hxxps://ghazacast.com
hxxps://ikhwancast.com
John Scott Railton, a senior researcher at Citizen Lab, said the new claims carry legal and policy weight because they arrive while NSO has been trying to present itself as reformed. He also noted that the “fr24cast” domain may have been intended to impersonate France 24, though that has not been confirmed by WhatsApp.
The dispute now turns on a simple question; can a spyware vendor ignore a court order and keep probing the same service it was told to leave alone? WhatsApp wants the judge to treat the latest activity as a breach of the injunction, not as a new incident to be argued from scratch.
NSO has been under US trade restrictions since 2021, when the Commerce Department added the company to the Entity List over spyware supplied to foreign governments. US officials said the tools had been used to target journalists, officials, activists, academics, businesspeople and embassy workers.
WhatsApp presented the case as more than a WhatsApp issue, saying mercenary spyware remains a threat to users, companies and governments which no company can fight alone.
At the same time, it said WhatsApp messages and calls remain protected by default end to end encryption, while people at higher risk should keep devices updated, report suspicious activity and use stricter account settings.
Meta is also using the moment to back outside spyware research. WhatsApp said it is donating to the Spyware Accountability Initiative, which supports groups working on forensic analysis, victim support and policy work.
The company cited Citizen Lab’s past zero day findings that led to Apple security updates, along with a recent Greek criminal conviction involving Intellexa spyware executives, as examples of civil society work that has produced concrete results.
The new filing also puts fresh pressure on NSO’s argument that it should be treated as a lawful security vendor serving government clients. The consequences for the spyware firm may now depend less on spyware capability and more on whether a federal judge agrees that the company crossed a line already drawn by the court.
Nevertheless, WhatsApp users should be cautious with suspicious links, even when they appear to come from known contacts or arrive in messages that seem connected to current events. The malicious domains shared by WhatsApp also appear to reference Gaza and the Muslim Brotherhood.
One domain uses “Ikhwan,” (إخوان) which translates from Arabic as “brothers” and is commonly used to refer to the Muslim Brotherhood, a major transnational Islamic political organization.
