WhatsApp has announced the disruption of a sophisticated spyware campaign targeting users on its platform, blaming the attack on NSO Group, the Israeli cyber-surveillance company behind the controversial Pegasus spyware.
The Meta-owned messaging platform said it uncovered and dismantled the operation following an internal investigation triggered by reports from users.
WhatsApp is now seeking stronger legal action against NSO Group, asking a United States court to hold the company in contempt of a permanent injunction issued last year that expressly prohibits it from targeting WhatsApp or its users.
The latest development marks a significant escalation in a legal battle that began in 2019 and has become one of the most closely watched cases in the global fight against commercial spyware.
According to WhatsApp, NSO operatives attempted to lure users into clicking malicious links that redirected them to external websites, a tactic consistent with previously documented Pegasus infection methods.
“They tried to trick people into clicking on malicious links to drive them to external websites outside of WhatsApp,” the company said.
WhatsApp also revealed that it detected and removed test accounts and groups allegedly created by NSO operatives as part of the campaign.
The attack reportedly mirrored one-click phishing operations linked to NSO that were documented in Jordan in 2024, where victims were infected with Pegasus spyware after clicking malicious links sent through messaging applications.
To enhance transparency and user protection, WhatsApp said it is publishing threat indicators associated with the campaign, enabling users and cybersecurity researchers to determine whether they may have been targeted through WhatsApp, email, SMS, or other digital platforms.
The company further disclosed that testimony provided in court by NSO Group’s chief executive confirmed that the firm actively explores multiple pathways for gaining access to target devices, including browsers, operating systems and other applications beyond WhatsApp.
WhatsApp argued that the case has implications far beyond its platform, warning that continued violations of court orders by spyware vendors could undermine digital security and privacy worldwide.
The company noted that twelve civil rights and digital rights organisations recently filed legal briefs supporting its efforts to uphold the injunction against NSO Group. These organisations include privacy advocates, cybersecurity experts and human rights groups.
As part of its broader response to commercial spyware threats, WhatsApp announced a significant contribution to the Spyware Accountability Initiative, a global fund that supports forensic investigations, victim assistance programmes and advocacy efforts aimed at combating spyware abuse.
The legal dispute between WhatsApp and NSO Group dates back to 2019 when the messaging platform accused the company of exploiting a vulnerability in its system to deploy Pegasus spyware against approximately 1,400 users.
Those targeted reportedly included journalists, human rights activists, government officials and civil society leaders across several countries.
A U.S. court later ruled in favour of WhatsApp, granting a permanent injunction that bars NSO Group from targeting the platform and finding that the company violated both federal and state anti-hacking laws.
NSO Group has consistently maintained that Pegasus is sold only to vetted government agencies for legitimate law enforcement and national security purposes. The company argues that it is not responsible for how government clients use the technology.
In light of the latest incident, WhatsApp has urged users to update their applications and devices regularly, enable advanced security features and report suspicious messages or links.
The platform also advised individuals who believe they may be targets of sophisticated cyberattacks to activate stronger account protection measures and remain vigilant against phishing attempts.
Cybersecurity experts have repeatedly warned that spyware attacks are becoming increasingly sophisticated, making user awareness and proactive security practices critical to protecting personal information and digital communications.
