WhatsApp uncovers new Pegasus spyware campaign using one-click phishing links
WhatsApp, the messaging platform owned by Meta, has detected and disrupted a sophisticated hacking campaign that used a one-click exploit to target its users. The exploit was developed by NSO Group, an Israeli spyware maker known for its Pegasus software. Meta disclosed the incident in a recent statement, revealing that attackers sent specially crafted phishing links through WhatsApp chats to trick victims into clicking on them.
The phishing links redirected users to malicious websites that attempted to install Pegasus spyware on their devices. Pegasus is notorious for its use by authoritarian governments to surveil politicians, journalists, and civil society activists. WhatsApp's parent company Meta has asked a US court to hold NSO Group in contempt for violating an earlier permanent injunction that barred the company from targeting WhatsApp or its users.
This latest disclosure follows a landmark US court order in 2024 that permanently barred NSO Group from accessing WhatsApp systems. The injunction came after a six-year legal battle over a 2019 hacking campaign in which Pegasus exploited a vulnerability in WhatsApp to infect approximately 1,400 devices belonging to journalists, human rights activists, diplomats, and government officials.
Once installed, Pegasus can gain near-complete control over a smartphone. It allows operators to read encrypted messages, access emails and photos, record calls, activate the microphone and camera, and track the device's location. Due to WhatsApp's large global user base and its use by individuals seeking private communication free from state surveillance, the platform has been a prime target for Pegasus deployments.
NSO Group has consistently stated that it sells Pegasus only to government agencies. However, the company's tools have been linked to widespread abuses.
How NSO changed its attack strategy
Meta said the new hack involved NSO Group attempting to trick people into clicking on malicious links that redirected them to external websites outside of WhatsApp. This is similar to previously reported one-click phishing campaigns linked to the company. Meta also noted that NSO created test accounts and groups on WhatsApp, which the company took down after investigating user reports. The hacking campaign was designed as social engineering, requiring victims to perform a single action—clicking a link—to trigger the exploit.
Unlike the infamous “zero-click” exploits that made Pegasus notorious, a one-click exploit requires the victim to interact. In earlier Pegasus campaigns, zero-click attacks exploited vulnerabilities in services like WhatsApp’s calling feature or Apple’s iMessage, infecting devices simply by receiving a call or message, even if the recipient never responded. Security researchers note that one-click attacks may appear less technically advanced, but they remain highly effective because they exploit human behaviour through carefully crafted phishing messages that appear legitimate.
WhatsApp has urged users to remain cautious about clicking on unknown links, even from known contacts, as attackers often compromise accounts to send malicious links. The platform continues to implement security measures to protect its users.