Facebook parent company Meta has uncovered new unlawful activity by the notorious NSO Group, claiming the Israeli-founded spyware developer has repeatedly violated a permanent US court injunction by targeting WhatsApp users across Jordan and Lebanon, the tech giant confirmed earlier this week.
Meta’s security investigation found that NSO Group carried out coordinated spear-phishing operations against a small number of WhatsApp accounts in the two Middle Eastern nations. The firm also created unauthorized test accounts and discussion groups on the messaging platform, according to Meta’s findings.
Following the discovery, WhatsApp published the three domain names NSO Group used to facilitate one-click device infections: ikhwancast, ghazacast and fr24cast. John Scott-Railton, a senior researcher at University of Toronto’s cybersecurity watchdog Citizen Lab, has raised questions over whether the fr24cast domain was intentionally designed to impersonate respected international French news outlet France24, a common tactic in deceptive phishing attacks.
A look at NSO Group’s history of controversial activity shows the firm is the creator of Pegasus, the world-famous (and widely condemned) spyware that can silently infiltrate WhatsApp accounts to extract sensitive personal data including private messages, photos, call logs and other user information. After years of legal and regulatory scrutiny, the company came under US ownership in 2024.
The 2025 court battle between Meta and NSO Group resulted in a major ruling against the spyware firm. A US judge ordered NSO Group to pay Meta $167 million in damages, a figure that was later reduced to $4 million, but the most impactful outcome was a permanent nationwide ban that forbids NSO Group from accessing or targeting any WhatsApp services or its global user base.
Meta says this newly uncovered campaign is clear proof NSO Group has blatantly violated that court order. The firm has a long-standing placement on a US Commerce Department blacklist that bars any American company from doing business with NSO Group, a designation the Biden administration implemented after determining the firm’s activities posed a threat to US national security and foreign policy interests.
Recent industry reporting indicates NSO Group has been lobbying heavily to be removed from the US blacklist under the second Trump administration, a push that aligns with the firm’s 2024 appointment of David Friedman as executive chair. Friedman served as the US Ambassador to Israel throughout Trump’s first presidential term from 2017 to 2021, a high-profile pick widely interpreted as an effort to win favor with the current White House.
This is not the first time NSO Group’s spyware has been linked to invasive surveillance of targets in the Middle East. A 2021 collaborative investigation coordinated by the journalism non-profit Forbidden Stories exposed how multiple Middle Eastern governments were using Pegasus to spy on journalists, human rights activists, and political opposition figures. Saudi Arabia, Morocco, Bahrain, and the United Arab Emirates were among the nations named in the investigation as clients of NSO Group. One high-profile incident from 2022, documented by independent regional outlet Middle East Eye, captured the human cost of this surveillance: Finsbury Park Mosque chair Mohammed Kozbar was filmed explaining to his son that the family’s devices had been compromised by Pegasus, a moment observers described as a heartbreaking illustration of the harm invasive spyware inflicts on ordinary people.
As of this week, NSO Group has not issued any public response to Meta’s allegations, after declining to comment on the claims when approached by The Guardian. Meta has not yet announced what legal action it may pursue in response to the reported court order violation.