Meta says it’s filing a federal court contempt order against NSO Group after detecting a new spear-phishing campaign targeting WhatsApp users — a direct violation of a permanent injunction that already barred the Israeli spyware vendor from going after the platform.
What NSO Tried This Time
The attack followed a familiar NSO playbook: send malicious links designed to lure users off WhatsApp and onto external websites. Meta described it as similar to previously documented 1-click phishing campaigns linked to the company. The domains caught in this round: fr24cast[.]com, ghazacast[.]com, and ikhwancast[.]com — all since taken down.
Meta also caught NSO Group creating test accounts and groups on WhatsApp, which have been removed. The company moved quickly to block the infrastructure, but the fact that NSO is still actively targeting WhatsApp users after years of legal consequences raises obvious questions about deterrence.
The Legal Backstory
This isn’t NSO Group’s first courtroom loss. In 2025, a U.S. court fined the company roughly $168 million for violating U.S. laws by exploiting WhatsApp servers to deploy Pegasus spyware against more than 1,400 people worldwide. A year before that, the U.S. Commerce Department added NSO to its blocklist for activities “contrary to the national security or foreign policy interests of the United States.” A permanent injunction was supposed to be the final word. Apparently, it wasn’t.
The contempt filing is significant because it signals that Meta isn’t just defending its platform — it’s actively pushing back through the courts. If the contempt order sticks, it could mean additional penalties or sanctions against NSO executives personally.
What Users Should Do Right Now
Meta’s advice is straightforward: keep apps and devices updated, and report suspicious messages immediately. For anyone at elevated risk — journalists, activists, lawyers, political figures — the company recommends enabling “strict account settings,” a lockdown-style feature that tightens several controls at once.
That includes turning on two-step verification, disabling link previews, restricting profile visibility to contacts only, and limiting who can add you to groups. It’s not a silver bullet, but it meaningfully reduces the attack surface against this class of phishing.
Why This Keeps Happening
The uncomfortable reality is that NSO Group has operated through years of fines, sanctions, and court orders without being shut down. Each new campaign suggests the business model still works well enough to justify the legal risk. The contempt order might change that calculus — or it might just be another line in a long legal file. Either way, WhatsApp users remain a high-value target, and the phishing infrastructure keeps adapting.
