Meta says NSO violated a court injunction by targeting WhatsApp users again through phishing campaigns and test accounts.Last year, WhatsApp won a landmark case against NSO Group, the Israeli spyware vendor behind Pegasus, and secured a permanent court injunction barring the company from ever targeting WhatsApp or its users again. The court was unambiguous: NSO had violated US federal and state hacking laws. That should have been the end of it. It wasn’t.Meta investigated user reports and detected new targeting attempts linked to NSO, which were disrupted by the company. “We successfully disrupted NSO-linked social engineering attempts, after investigating user reports. They tried to trick people into clicking on malicious links to drive them to external websites outside of WhatsApp, similar to previously reported 1-click phishing campaigns linked to NSO.” reads the Meta’s announcement.”We also caught them creating test accounts and groups on WhatsApp, which we took down.”The attempts weren’t subtle: classic spear phishing, luring targets away from the encrypted environment into attacker-controlled territory outside the app’s protections. Meta also caught NSO creating test accounts and groups on WhatsApp, which it took down.The company is now filing a federal court contempt motion against NSO for violating the injunction. Three malicious domains linked to the activity have been made public so that anyone can check whether they were targeted across any platform: ikhwancast[.]com, ghazacast[.]com, and fr24cast[.]com. Meta says the threat indicators are relevant beyond WhatsApp, covering text messages, emails, and other channels.The contempt filing lands in a specific context. NSO is a US government-blacklisted company, placed on the Commerce Department’s Entity List in 2021 for activities found contrary to US national security interests. A court found it liable and imposed $168 million in damages. “Since 2019, our case has shown that NSO continues to build spyware tools to target people’s devices. Its CEO confirmed in court that the company looks for “vectors, or ways to access the phone” beyond WhatsApp, targeting browsers, operating systems, and other applications.” continues the announcement. “When a malicious company on the US government’s Entity List continues to defy US courts, existing restrictions must remain firmly in place. Easing them would undermine US national security and put American companies and billions of people worldwide who depend on secure communications at risk.” That statement sends a clear message: there have been signs that some U.S. sanctions against NSO could be eased, and Meta is making it clear that it disagrees with that approach.NSO’s CEO confirmed in court that his company actively looks for attack vectors beyond WhatsApp, targeting browsers, operating systems, and other applications. That’s not a past-tense admission. It describes an ongoing commercial operation whose customer list, according to documented cases, includes users targeting journalists, government officials, military personnel, and humanitarian workers. A spyware company doesn’t stay in business by targeting nobody.Meta is also putting money behind the broader fight. It’s making a contribution to the Spyware Accountability Initiative, a fund that supports organizations working on forensic research, user support, and advocacy globally. Twelve civil rights organizations filed amicus briefs last month supporting the permanent injunction against NSO’s appeal. The Citizen Lab example Meta cites is worth noting: a zero-day discovered by Citizen Lab researchers led directly to an Apple security update covering over a billion devices. In Greece, forensic evidence built by civil society organizations resulted in the first-ever criminal conviction of spyware company executives. This year. That work is chronically underfunded relative to the spyware vendors it’s trying to hold accountable.For ordinary WhatsApp users, end-to-end encryption on messages and calls remains on by default and wasn’t the attack surface here. For anyone who thinks they might be a higher-value target because of their job, their reporting, or who they work for, Meta has a Strict Account Settings feature worth enabling. It turns on two-step verification, disables link previews, restricts profile visibility and group membership to known contacts, and limits other settings that would normally expand exposure. “As always, WhatsApp users’ personal messages and calls remain protected with default end-to-end encryption.” concludes the report. “We encourage people to keep their apps and devices up to date and report suspicious activity so we can investigate and take action. For those who believe they may be targeted by sophisticated cyber attacks, we strongly recommend enabling strict account settings to harden their WhatsApp accounts even more.”Follow me on Twitter: @securityaffairs and Facebook and MastodonPierluigi Paganini(SecurityAffairs – hacking, WhatsApp)