Full Report
Zuckercorp says surveillance-for-hire vendor was still running phishing operations after federal court told it to knock it off
Analysis Summary
# Threat Actor: NSO Group
## Attribution & Identity
* **Identification:** NSO Group Technologies.
* **Aliases:** Q Cyber Technologies.
* **Known Associations:** Primarily known as a "surveillance-for-hire" or commercial spyware vendor based in Israel.
* **Status:** Currently on the US government's Entity List.
## Activity Summary
According to Meta (Zuckercorp), NSO Group engaged in social engineering and phishing operations targeting WhatsApp users in 2026, directly defying a permanent injunction issued by a US federal court in 2025. The activity involved creating test accounts and groups on WhatsApp to facilitate "1-click" phishing campaigns designed to lure targets to malicious external domains.
## Tactics, Techniques & Procedures
* **Social Engineering:** Creation of fraudulent accounts and groups to establish contact with targets.
* **Phishing:** Luring users to click on malicious links delivered via WhatsApp messages.
* **Redirection:** Redirecting targets to external websites controlled by the actor for potential payload delivery or credential harvesting.
* **Infrastructure Testing:** Creation of test accounts to validate bypasses of platform security controls.
* **MITRE ATT&CK IDs (Inferred):**
* T1566.002 (Phishing: Spearphishing Link)
* T1585 (Establish Accounts)
* T1204.001 (User Execution: Malicious Link)
## Targeting
* **Sectors:** High-value individuals including activists, journalists, and government officials (historically associated with Pegasus targets).
* **Geography:** Global (targeting WhatsApp's international user base).
* **Victims:** Users of the WhatsApp messaging platform.
## Tools & Infrastructure
* **Malware Families:** Historically associated with **Pegasus** spyware (1-click and 0-click variants).
* **Infrastructure (Defanged):**
* ikhwancast[.]com
* ghazacast[.]com
* fr24cast[.]com
## Implications
* **Legal Defiance:** The activity suggests that commercial spyware vendors may continue operations against high-value platforms even under permanent legal injunctions and significant financial penalties ($475 million jury award).
* **National Security:** Commercial spyware is increasingly framed as a national security threat that undermines secure communications for billions of people.
* **Industry Persistence:** Despite being blacklisted (Entity List), the vendor remains operational and continues to develop methods to circumvent platform security.
## Mitigations
* **Indicator Monitoring:** Organizations should block and monitor for the defanged domains listed in the Infrastructure section.
* **User Training:** Educate high-risk users on the dangers of "1-click" phishing and the risks of joining unsolicited messaging groups.
* **Security Updates:** Ensure all messaging applications and mobile operating systems are updated to the latest versions to patch vulnerabilities exploited by NSO tools.
* **Platform Integrity:** WhatsApp continues to disrupt NSO-linked accounts; users should report suspicious accounts or unsolicited links via in-app reporting tools.