WhatsApp says it blocked another round of NSO-linked phishing attempts
WhatsApp says it has disrupted spear-phishing campaigns it believes were tied to NSO Group, the controversial spyware vendor best known for Pegasus. The new wave came to light after users reported social engineering attempts, according to Meta, which owns WhatsApp.
The company says the attackers tried to push targets toward malicious links that sent them away from WhatsApp and onto external websites. Meta says the tactics looked similar to earlier one-click phishing campaigns linked to NSO.
For users, the takeaway is simple: the messages themselves may not be the only threat. The link you tap can matter just as much as the chat that delivered it.
Why this matters beyond one app
NSO Group has long been one of the most closely watched names in the spyware world. Its tools have been reported in use against politicians, activists, journalists, academics, and other high-interest targets. The company has also faced heavy legal and regulatory pressure, including U.S. sanctions dating back to November 2021.
Meta says that pressure has not stopped attempts to target WhatsApp users. The company pointed to prior court action in 2025, when it says it secured a permanent injunction against NSO, a finding of liability tied to 1,400 infections, and a $167,000,000 fine.
Even with those rulings in place, Meta says the latest activity shows that commercial spyware operators can keep trying to find new ways in.
What Meta says it found
According to Meta, the attackers were using social engineering instead of relying only on technical exploits. The company says it also found test accounts and groups being created on WhatsApp, and took them down.
Meta listed these domains as indicators of compromise connected to the campaign:
- ikhwancast[.]com
- ghazacast[.]com
- fr24cast[.]com
Meta says the activity appears to violate the 2025 court order that bars NSO from targeting WhatsApp or its users.
What users should do now
WhatsApp says end-to-end encryption still protects messages and calls from Pegasus and similar spyware, but it also urged people to keep their apps and operating systems updated.
It also pointed to extra device defenses that can reduce spyware exposure:
- Android users can enable Advanced Protection
- iPhone users can turn on Lockdown Mode
Those features are designed to shrink the attack surface, which can make it harder for targeted spyware campaigns to succeed.
The bigger security picture
This is another reminder that mobile security is not just about avoiding obvious scams. High-end spyware operations often start with simple-looking lures, then move quickly once a target interacts.
For WhatsApp, the fight is now part legal, part technical, and part operational. Meta says it is still disrupting the campaigns it can see, even as it continues to accuse NSO of ignoring earlier consequences.