Meta Moves to Hold NSO Group in Contempt After New Pegasus-Linked Phishing Attacks
Table of Contents
A Breach of Court Order
Meta is returning to federal court to demand that NSO Group be held in contempt, alleging that the Israeli cyber-intelligence firm is once again targeting WhatsApp users despite a permanent injunction. The move marks the latest escalation in a years-long legal war between the social media giant and the creators of the infamous Pegasus spyware.
According to Meta, the company recently intercepted a cluster of NSO-linked accounts attempting to execute a spear-phishing campaign. The attack involved tricking users into clicking malicious links—a tactical signature that Meta claims is consistent with previous campaigns tied to NSO. While the scale of this specific attempt was narrow, targeting fewer than 10 individuals primarily located in Jordan and Lebanon, the legal implications are vast. For Meta, this isn’t just about ten users; it’s about a direct violation of a court-mandated ban on NSO’s interaction with its infrastructure.
The Legal Precedent and the $4 Million Friction
The friction between Meta and NSO Group dates back to 2019, when Meta filed suit after discovering that Pegasus was being used to infiltrate the devices of human rights activists, journalists, and political dissidents. The case highlighted a systemic abuse of “zero-click” and “one-click” vulnerabilities to install surveillance software that grants operators total access to a target’s encrypted messages, microphone, and camera.
Last year, the legal battle reached a momentary peak when a jury awarded Meta $167 million in damages. However, that figure was later slashed by a judge to $4 million. More critical than the monetary penalty was the permanent injunction accompanying the judgment, which explicitly prohibited NSO Group from targeting WhatsApp and its user base. By filing for contempt, Meta is arguing that the injunction is being treated as a suggestion rather than a legal requirement.
Technical Signatures and Containment
Meta’s security teams identified the current campaign by analyzing the domains used in the phishing attempts. In a move toward industry-wide transparency, Meta has shared these specific domains publicly. This allows other security researchers and targeted individuals to cross-reference their own logs to see if they were victims of the same infrastructure, potentially exposing the reach of the campaign beyond the few users Meta has already identified.
A spokesperson for Meta noted that there are currently no signs that the identified targets were actually compromised, suggesting that the company’s internal monitoring systems caught the attempts before the Pegasus payload could be successfully deployed. This “catch-and-release” pattern underscores the ongoing arms race between Meta’s security engineers and NSO’s developers.
The Middle East Connection
The focus on Jordan and Lebanon is not accidental. The Levant region has long been a primary theater for the deployment of Pegasus, often sold to government agencies under the guise of combating terrorism and organized crime. However, reports from organizations like Amnesty International and Citizen Lab have repeatedly shown that the software is frequently pivoted toward political surveillance.
NSO Group has historically defended its practices by stating it sells its software exclusively to vetted governments and requires them to follow human rights laws. However, the recurring nature of these attacks—and the subsequent legal filings by Meta—suggests a persistent gap between NSO’s corporate policy and the actual deployment of its tools in the field.
As of the time of reporting, NSO Group has not responded to requests for comment regarding the specific phishing cluster or the pending contempt motion.
