Meta has filed a contempt motion in the U.S. District Court for the Northern District of California, alleging that NSO Group — the Israeli commercial spyware vendor responsible for the Pegasus surveillance platform — violated a 2021 consent order by deploying new WhatsApp-targeting spear-phishing infrastructure against journalists, human rights defenders, and civil society organisations in six countries.
The contempt filing details a new WhatsApp attack campaign that NSO Group allegedly launched in early 2026, using updated infrastructure that circumvented the indicators of compromise from the original 2019 exploit campaign that underpinned Meta’s initial lawsuit. Meta’s security team identified and blocked the new campaign infrastructure, documented the target list (which included journalists investigating government corruption and human rights organisations in Eastern Europe and Central Asia), and filed the contempt motion based on evidence that the activity violated the terms of the 2021 court order.
NSO Group and the Commercial Spyware Market
NSO Group’s Pegasus platform is the most extensively documented commercial spyware product. It provides government and law enforcement clients with zero-click or near-zero-click exploitation capability against iOS and Android devices, enabling surveillance of device communications, location, contacts, and stored data without the target’s knowledge.
NSO Group sells Pegasus exclusively to government clients, positioning it as a lawful intercept tool for terrorism investigation and serious crime. Independent research (Citizen Lab, Amnesty International Tech, and others) has repeatedly documented Pegasus deployment against civil society targets — journalists, political dissidents, human rights lawyers — in jurisdictions where the “lawful” framing masks political repression use.
The 2021 consent order, entered into as a condition of pausing the original Meta lawsuit, required NSO Group to cease all access to Meta’s platforms and related infrastructure. The 2026 contempt filing alleges that the new campaign violated this order through a restructured technical infrastructure that maintained the same functional purpose (targeting WhatsApp users with spyware delivery) under a different technical architecture.
Technical Aspects of the New Campaign
Meta’s security disclosure describes the new NSO campaign using:
- Re-architected delivery infrastructure: New domain registrations and IP ranges not matching IOCs from the 2021 campaign, suggesting deliberate evasion of the previously documented indicators
- Updated WhatsApp API abuse: The campaign used WhatsApp’s API in a manner that bypassed the blocking deployed following the 2021 campaign, indicating NSO Group had analysed and adapted to Meta’s defensive response
- Selective targeting: The campaign targeted a small number of specific individuals (dozens, not mass exploitation) in keeping with Pegasus’s premium commercial model, which involves manual target selection by government clients
Meta declined to publish the specific technical details of the new delivery method in the court filing, citing ongoing investigation and the risk of enabling further adaptation by NSO Group. The IOCs for network monitoring were shared with relevant CERTs and the Citizen Lab.
Enterprise and Threat Intelligence Implications
For enterprise security teams, the NSO Group / Pegasus activity has practical threat intelligence value:
- Executive and journalist device targeting: Organisations with employees whose work involves investigating corruption, government contracting, or political topics in regions with known Pegasus use (Eastern Europe, Central Asia, Middle East, Southeast Asia) should apply enhanced mobile security posture to those employees’ devices
- iOS and Android security updates: Zero-click exploits require the operating system vulnerability they target. Maintaining current iOS and Android patch levels is the primary defensive control — every month without OS updates extends the window for zero-click exploits that have been privately developed but not yet patched
- Secure communication alternatives: For individuals at elevated risk, Signal (end-to-end encrypted, open source) provides materially better security than standard WhatsApp or SMS. Signal’s security architecture does not use the message routing infrastructure that WhatsApp API-based delivery methods depend on
The Commercial Spyware Enforcement Gap
The contempt motion illustrates the structural difficulty of enforcement against commercial spyware vendors. NSO Group’s primary clients are government intelligence and law enforcement agencies — it sells capabilities to the same classes of institution that enforce court orders. The commercial model (government clients paying for infrastructure-as-a-service surveillance capability) creates legal and jurisdictional complexity that slows enforcement action.
CISA’s commercial spyware guidance and the EU’s PEGA Committee reports have both documented the enforcement gap. Meta’s contempt filing is one of very few instances of private legal action that has imposed any accountability on a commercial spyware vendor, and even that accountability has not prevented continued operation.
Share this article