Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

Jun 29, 2026 · 7 min read

WhatsApp Catches NSO in New Pegasus Spyware Campaign

Meta found 23 accounts and 34 groups linked to NSO's Pegasus operation — active less than a week after a federal court order told the company to stop.

A federal judge told NSO Group to stop. NSO kept going anyway. On June 8, 2026, Meta announced that WhatsApp's threat intelligence team had caught and disrupted a fresh Pegasus spyware campaign — one that began, according to Meta's court filing, within days of a permanent injunction taking legal effect. The spyware company that already owes $167 million in damages apparently decided a court order was not a hard stop. Meta is now asking a US federal judge to find NSO in contempt.

Key Takeaways

  • A permanent injunction barring NSO Group from targeting WhatsApp users became enforceable on January 28, 2026 — and Meta's evidence shows NSO linked accounts were active on the platform that same day.
  • Meta's threat intelligence team identified at least 23 WhatsApp accounts and 34 groups tied to NSO Group operations across 13 countries between January and early June 2026.
  • Two distinct spear phishing campaigns — one running February 3–7 and a second April 13–19 — sent one click malicious links to fewer than 10 users, primarily in Jordan and Lebanon.
  • Pegasus, once installed on a device, can read encrypted messages, capture emails, record calls, activate the microphone and camera silently, and track GPS location in real time.
  • Meta filed a federal contempt motion on June 8, 2026, citing "clear and convincing evidence" that NSO violated the court's order and asking the judge to impose additional penalties.

What Did NSO Actually Do?

NSO Group created infrastructure on WhatsApp itself to test and deploy Pegasus. Meta's filing details 23 accounts and 34 groups, many bearing names that read like an operational log: "Tests in Guinea 25.02.2026," "Tests in Tanzania 11.2.2026," "Tests in Yemen 20.04.2026," "Tests in Somalia 7.5.26." The geographic spread — at least 13 countries including Senegal, Mali, El Salvador, and Jordan — mirrors the pattern of governments known to license Pegasus for use against journalists, activists, and political opponents.

The attack method in both campaigns was spear phishing: one click malicious links that direct targets away from WhatsApp's encrypted environment and onto attacker controlled external websites. The first campaign ran February 3–7, 2026. A second followed April 13–19. WhatsApp removed the accounts and groups, and Meta says fewer than 10 users were targeted, with no confirmed successful compromises. But the point of the contempt motion is not the attack's scale — it is that NSO ran it at all, in plain defiance of a court order.

What Is the Court Order NSO Violated?

The injunction grew out of a lawsuit WhatsApp filed against NSO in 2019, after Pegasus was used to target more than 1,400 WhatsApp users in a single mass hacking campaign. Judge Phyllis Hamilton of the US District Court for the Northern District of California found NSO liable for violating US anti hacking laws and breach of contract. In May 2025, a jury awarded WhatsApp $167 million in punitive damages (later reduced to $4 million in compensatory damages). Last October, Judge Hamilton issued a permanent injunction permanently barring NSO from using WhatsApp's infrastructure to deploy spyware. That injunction became enforceable January 28, 2026.

Meta's contempt filing argues the violation was not accidental or borderline: "clear and convincing evidence shows that NSO began violating this Court's injunction almost immediately and continues violating it today." NSO Group has not publicly responded to the contempt motion and did not reply to press requests for comment.

A gavel resting next to a smartphone displaying a WhatsApp conversation, representing the legal battle between Meta and NSO Group over Pegasus spyware

What Does Pegasus Actually Take From Your Device?

Pegasus is not a wiretap in the traditional sense. Once it has root access to a device, it operates below the level at which any app — including Signal or WhatsApp — can protect you. It reads messages after they have been decrypted on screen. It harvests emails from whatever client is installed. It captures passwords, photos, and call records. It activates the microphone and camera without any indicator light. It tracks GPS location continuously. IEEE research on Pegasus's behavioral attack model describes it as a surveillance system that treats the device's operating system as the exploit surface, not any individual app.

That is the detail that makes NSO's defiance of a court order so consequential for anyone with a high threat model. The encryption protecting your messages in transit means nothing once Pegasus sits on the device reading them in plaintext. The same is true for email: end to end encryption stops an attacker in the network; it does not stop spyware with root access on the endpoint.

Why Journalists and Activists Should Care About This Specifically

The targets in the new campaign were primarily in Jordan and Lebanon. Jordan is not a random data point. Previous Citizen Lab and Access Now investigations documented Pegasus infections of Jordanian journalists, lawyers, and human rights defenders between 2019 and 2023 — people whose phones were turned into surveillance devices while they reported on government corruption or represented political dissidents. The group names in Meta's filing ("Tests in Yemen," "Tests in Somalia") suggest customers in conflict zones where press freedom is already severely restricted.

John Scott-Railton, a senior researcher at Citizen Lab, put it directly: "NSO's own actions make the strongest argument for why they should stay on the Entity list." NSO Group has been on the US Commerce Department Entity List since 2021, a designation that restricts US companies from supplying NSO with technology. The contempt motion, if successful, could tighten those restrictions further — and set a precedent that court orders against spyware firms have actual teeth.

That matters beyond this case. If NSO can operate through a court ordered ban with no additional consequence, every future injunction against a surveillance vendor becomes negotiable. The eleven civil society groups that filed an amicus brief in May 2026 asking the Ninth Circuit to preserve the permanent injunction were arguing exactly this point: that the injunction is the last formal barrier between the commercial spyware industry and the communications of journalists, activists, and lawyers worldwide.

Concrete OPSEC Steps for High Risk Users

No single tool stops Pegasus once a device is compromised, but these measures raise the cost of targeting and reduce your exposure to the specific attack vector NSO used here — one click phishing links that lead off platform.

  • Enable WhatsApp's advanced privacy settings. WhatsApp's strict settings mode limits who can send you links and reduces your attack surface for one click phishing campaigns of exactly this type.
  • Use Apple Lockdown Mode if you are a verified high risk target. Apple reports no device running Lockdown Mode has ever been successfully compromised by Pegasus. It restricts link previews, attachment handling, and other vectors Pegasus exploits.
  • Never click unsolicited links, even in encrypted apps. The new NSO campaign relied on luring targets off platform. A link in WhatsApp is not protected by WhatsApp's encryption once you leave the app.
  • Reboot your device regularly. Many Pegasus variants do not survive a full reboot, limiting persistence. This does not prevent reinfection but reduces the window of active surveillance.
  • Run periodic checks with Mobile Verification Toolkit (MVT). Developed by Amnesty International's Security Lab, MVT scans iOS and Android devices for known Pegasus indicators of compromise.
  • Compartmentalize sensitive source communications. Use a dedicated device for the most sensitive contacts. If one device is compromised, a separate device running a minimal app set limits the blast radius.

What Happens Next

The contempt motion is now before Judge Hamilton. If granted, the court could impose new financial penalties on top of the existing $167 million judgment, restrict NSO's ability to operate through US based infrastructure, or refer the matter for further enforcement. NSO Group, which was acquired by US investors in October 2025 and is reportedly seeking to exit the US Entity List designation, faces a direct conflict: its new ownership wants US market access, but the contempt filing makes that argument considerably harder.

Meta's statement was pointed: "When a malicious company on the US government's Entity List continues to defy US courts, existing restrictions must remain firmly in place." Whether the court agrees — and whether that agreement carries consequences NSO cannot simply absorb — will define how much protection court orders can realistically offer against a commercial spyware industry that has operated in a legal gray zone for over a decade.

For journalists and activists in Jordan, Lebanon, Yemen, or any of the other 13 countries named in Meta's filing: the people who built Pegasus do not stop when a judge says stop. That is the threat model you are working with. One small, practical mitigation arrived in June 2026: WhatsApp usernames now let you hide your phone number from strangers — useful against casual deanonymization, though not against spyware operating below that layer.

Stop Email Tracking in Gmail

Spy pixels track when you open emails, where you are, and what device you use. Gblock blocks them automatically.

Try Gblock Free for 30 Days

No credit card required. Works with Chrome, Edge, Brave, and Arc.