Meta-owned communications app WhatsApp says it recently detected and disrupted a spear-phishing attempt linked to spyware company NSO Group. The attack is allegedly in defiance of a court order that bars the spyware maker from targeting WhatsApp.
WhatsApp filed a lawsuit against NSO in 2019, after it came to light that a zero-day vulnerability had been exploited to deliver spyware to users.
In December 2024, a judge ruled that NSO is liable, and in May 2025 a jury ordered the spyware maker to pay more than $444,000 in compensatory damages and $167 million in punitive damages, which NSO appealed.
In October 2025, a judge reduced the punitive damages to $4 million, but WhatsApp was granted a permanent injunction barring NSO from hacking its users.
NSO has been seeking to overturn the order blocking it from targeting WhatsApp users, arguing that the company will “suffer irreparable harm”.
According to WhatsApp, the spyware maker has violated the permanent injunction. The messaging app reported on Monday that it had recently learned of a social engineering attack that attempted to trick users into clicking on malicious links.
WhatsApp has only shared a few domains as an indicator of compromise (IoC), but says it was able to link the attack to NSO, pointing to similarities to previously reported one-click phishing campaigns tied to the spyware company.
WhatsApp says it also caught the attackers creating test accounts and groups. Those accounts and groups have been disabled, but further action is also being taken.
“We’re filing a federal court contempt order against NSO for violating a permanent injunction that barred them from ever targeting WhatsApp and its users,” WhatsApp said.
Nearly a dozen civil society organizations recently filed an amicus brief with the Ninth Circuit Court of Appeals to maintain the lower court’s permanent injunction forbidding NSO from targeting WhatsApp and its customers.
In addition, WhatsApp said on Monday that it’s making a “significant contribution” to the Spyware Accountability Initiative, a fund supporting work aimed at exposing, challenging, and stopping the abuse of spyware technology.
Related: ‘DarkSword’ iOS Exploit Kit Used by State-Sponsored Hackers, Spyware Vendors
Related: New ‘ZeroDayRAT’ Spyware Kit Enables Total Compromise of iOS, Android Devices
Related: WhatsApp Discloses File Spoofing, Arbitrary URL Scheme Vulnerabilities
Related: Researcher Discovers 4th WhatsApp View Once Bypass; Meta Won’t Patch
