WhatsApp Says It Blocked Pegasus Spyware Campaign Linked to NSO

Summary

WhatsApp has disrupted new spyware activity linked to NSO Group, the creators of Pegasus, and is seeking to hold the firm in contempt of a previous court order. The activity involved spear-phishing attempts directing users to malicious external websites, rather than exploiting WhatsApp vulnerabilities. WhatsApp has published three domains used in the campaign and is urging the court to consider this a breach of an existing injunction against NSO.

Full text

Cyber Crime Laws & Legalities MalwareWhatsApp Says It Blocked Pegasus Spyware Campaign Linked to NSO WhatsApp says it blocked Israeli firm NSO’s Pegasus spyware activity and is asking a US court to treat the targeting as an injunction breach. byWaqasJune 8, 20263 minute read WhatsApp says it has disrupted new spyware related activity linked to NSO Group, the Israeli surveillance company behind Pegasus, and is now asking a US federal court to hold the firm in contempt of a permanent injunction. The new action follows a major legal win for WhatsApp and parent company Meta in their long running case against NSO. The court had already barred NSO from targeting WhatsApp or its users after finding that the company violated federal and state hacking laws in connection with a 2019 attack on roughly 1,400 users. This time, WhatsApp says the activity did not rely on a unknown WhatsApp vulnerability. The company said it investigated user reports and found spear phishing efforts that tried to push people toward malicious external websites. In plain terms, the aim was to get a person to click a link outside WhatsApp, a method similar to earlier one click campaigns associated with NSO. In a press release published today, WhatsApp said it also found and removed test accounts and groups created on its platform. The company has published three domains it says were used in the activity so researchers, companies and users can check whether they were contacted through WhatsApp, text message, email or another channel. The domains named by WhatsApp are: hxxps://fr24cast.comhxxps://ghazacast.comhxxps://ikhwancast.com Infographic showing how Pegasus spyware can reach Android and iPhone devices through one click or zero click routes, gain device access, read messages, location, microphone, camera, photos and files, then send data out (Credit: Hackread.com John Scott Railton, a senior researcher at Citizen Lab, said the new claims carry legal and policy weight because they arrive while NSO has been trying to present itself as reformed. He also noted that the “fr24cast” domain may have been intended to impersonate France 24, though that has not been confirmed by WhatsApp. The dispute now turns on a simple question; can a spyware vendor ignore a court order and keep probing the same service it was told to leave alone? WhatsApp wants the judge to treat the latest activity as a breach of the injunction, not as a new incident to be argued from scratch. NSO has been under US trade restrictions since 2021, when the Commerce Department added the company to the Entity List over spyware supplied to foreign governments. US officials said the tools had been used to target journalists, officials, activists, academics, businesspeople and embassy workers. WhatsApp presented the case as more than a WhatsApp issue, saying mercenary spyware remains a threat to users, companies and governments which no company can fight alone. At the same time, it said WhatsApp messages and calls remain protected by default end to end encryption, while people at higher risk should keep devices updated, report suspicious activity and use stricter account settings. Meta is also using the moment to back outside spyware research. WhatsApp said it is donating to the Spyware Accountability Initiative, which supports groups working on forensic analysis, victim support and policy work. The company cited Citizen Lab’s past zero day findings that led to Apple security updates, along with a recent Greek criminal conviction involving Intellexa spyware executives, as examples of civil society work that has produced concrete results. The new filing also puts fresh pressure on NSO’s argument that it should be treated as a lawful security vendor serving government clients. The consequences for the spyware firm may now depend less on spyware capability and more on whether a federal judge agrees that the company crossed a line already drawn by the court. Nevertheless, WhatsApp users should be cautious with suspicious links, even when they appear to come from known contacts or arrive in messages that seem connected to current events. The malicious domains shared by WhatsApp also appear to reference Gaza and the Muslim Brotherhood. One domain uses “Ikhwan,” (إخوان) which translates from Arabic as “brothers” and is commonly used to refer to the Muslim Brotherhood, a major transnational Islamic political organization. Waqas I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cybersecurity and tech world. I am also into gaming, reading and investigative journalism. View Posts Cyber AttackCyber CrimeCybersecurityFacebookIsraelMalwareMetaNSOPegasusSpywareWhatsApp Leave a Reply Cancel reply View Comments (0) Related Posts Cyber Crime Someone stole $3 million from Coinsecure Bitcoin exchange In a security notice, the Indian Bitcoin exchange Coinsecure has revealed that it has suffered a setback after 438… byWaqas Security Malware Hundreds of Android devices shipped with pre-installed malware It is commonly believed that a brand new handset would be free from malware, adware and any malicious… byWaqas Hacking News Malware Security Sacramento Regional Transit System in California Held for $7,000 Ransom On Saturday night an unknown hacker targeted the Sacramento Regional Transit System (RT or SacRT) in California and… byWaqas Read More Security Malware News Dutch Man Deployed Stuxnet via Water Pump to Disable Iran’s Nukes Beyond Bush and Obama: Dutch Investigation Uncovers Hidden Secrets of Stuxnet's Billion-Dollar Attack. byDeeba Ahmed

Indicators of Compromise

• domain — fr24cast.com
• domain — ghazacast.com
• domain — ikhwancast.com

Entities