Earlier this month, Meta announced that it had detected a new spear-phishing attempt linked to the Israeli surveillance group NSO, notoriously famous for developing the Pegasus spyware. The attempt targeted WhatsApp users through a phishing campaign, in what Meta said violated a previous court order barring the Israeli firm from targeting the platform and its users.
According to Meta, WhatsApp’s parent company, a group of accounts linked to NSO were used to try to trick WhatsApp users into clicking on malicious links, in a fashion similar to previous phishing campaigns attributed to NSO.
According to a Meta spokesperson, the latest campaign targeted around 10 users, with most of them being present in Jordan and Lebanon. The spokesperson added that the company had so far found no signs that the devices or accounts of the identified targets had been compromised.
In an official statement, Meta said it had filed a motion in a US federal court asking it to hold NSO in contempt, less than a year after a court ruling found the company liable in a legal dispute dating back to 2019.
To enable users and security agencies to check whether they had been targeted through WhatsApp or other platforms, Meta published the following domain names linked to the spyware campaign in its official statement:
(We advise against visiting these domains.)
“This statement may sound reassuring, but it actually is not.” says Ragheb Ghandour, SMEX’s cybersecurity consultant. “Platform-level telemetry and remote analytics cannot detect Pegasus. The spyware requires extracting and carefully examining system diagnostic files (sysdiagnose).”
Ghandour adds that the most valuable part of what Meta did was not the lawsuit, but its publication of the domains used.
“These domains are live indicators of compromise (IOCs), and any digital forensics investigator currently working on cases in the region should immediately cross-reference this information.”
NSO’s new attack marks a technical step back
The latest phishing campaign launched by NSO relies on a one-click attack, a type of cyberattack in which a user only has to click on a single malicious link or attachment for their device or account to be compromised, without entering any information.
NSO had previously become known for compromising devices through zero-click technology, which requires no action from the user and works by exploiting vulnerabilities in operating systems.
“The use of phishing links in the current attack marks a change in NSO Group’s targeting behavior,” adds Ghandour.
SMEX’s Digital Forensics Lab (DFL) advises users not to click on unknown links or attachments to avoid falling victim to these cyberattacks. When in doubt, users should contact the sender directly to verify.
WhatsApp has also published some tips for strengthening account security, which are worth reviewing. SMEX’s work has also previously covered how to protect your data from spyware attacks similar to the NSO’s.
“The fine that was imposted on NSO amounts to no more than the value of a single contract for deploying Pegasus,” states Ghandour. He adds that the targeting of WhatsApp is “not defiance, but purely a commercial decision.”
The cybersecurity expert explains this could either be attributed to “the strict security measures Apple imposed on iOS, which may have effectively forced [NSO] to take a step back in the cyber kill chain, or to a deliberate shift toward quieter operations with less visible digital footprints. Both possibilities require close attention and careful monitoring.”
Holding the spyware industry accountable
The new legal move follows a lawsuit filed by Meta last year against NSO, accusing the Israeli firm of exploiting vulnerabilities in WhatsApp to target human rights activists, journalists, political dissidents, and others with Pegasus spyware.
A US court awarded Meta $167 million in damages last year, before a judge later reduced the amount to $4 million. The ruling also included a court order barring NSO from targeting WhatsApp or its users in any way.
SMEX’s Policy team says that the targeting attempt shows that NSO “is willing to violate international human rights law and disregard national court rulings, underscoring the clear need to hold the entire spyware industry accountable.”
Israeli companies are infamous for leading the spyware industry, as revealed in SMEX’s previous study on the Israeli spyware industry, “Click, Load, Kill: A Look into the Cyberweapon Industry in the WANA Region.”
Pentagon raises the threat level tied to Israeli spying
These developments coincide with the United States’ Department of Defense raising the threat level associated with Israeli espionage activities to the highest level, according to US media reports, amid concerns over attempts to collect information about decision-making processes within President Donald Trump’s administration.
Citing US officials, NBC News reported that the US Department of Defense’s military intelligence arm had assessed that “Israel’s ability to conduct human espionage and technical collection is at a ‘critical level.’”
The move came after growing concerns that Israel may have sought information on the US administration’s internal deliberations over the ongoing conflicts in the “Middle East.”
