Meta just put an end to a spyware campaign targeting WhatsApp users. The threat is linked to the firm NSO, the developer of the infamous Pegasus spyware. In this report, we will cover what the campaign likely looked like for those impacted, how spyware breaches your iPhone, why you should care, and what you can do about it. Let’s dive in.
Meta released data for users to check if they were targeted by Pegasus spyware
On June 8, 2026, Meta reported that they identified and disrupted a threat campaign linked to NSO, a spyware firm blacklisted by the US government.
In this campaign, users got messages that included malicious links. When users clicked on the links and were directed to malicious websites, their smartphones were breached using zero-click attack techniques.
Check your WhatsApp messages for phishing
Meta assures that WhatsApp itself is safe and that your personal messages and calls remain protected with default end-to-end encryption.
The threat actors who were using the NSO spyware also created test accounts and groups on WhatsApp, which Meta took down as well.
Meta said users should check messages received via WhatsApp, SMS, email, or other channels. This implies that the cyberattack may have extended beyond the WhatsApp app.
What the new WhatsApp Pegasus cyberattack looks like for users
Knowing what a cyberattack looks like on your screen can help you steer clear of it before it becomes a problem or take swift action if something slips past you.
From your POV, the Pegasus cyberattack looks like this:
- You get a message via WhatsApp, SMS, or other channels.
- The message likely includes an impersonation of a brand or company and offers you a link.
- You click on the link and land on a malicious site.
- The malicious site is coded to exploit a zero-day vulnerability and breaches your smartphone without you interacting with the page, downloading anything, or clicking on anything.
How can spyware breach my device if I didn’t download or click anything?
Spyware vendors are known to have the capacity to hide aggressive code in images, videos, and websites, allowing a cyberattack to unfold when the site or images simply load in your browser or apps.
For example, the Predator spyware breached devices simply by showing users a malicious ad. No click, no links, no interaction required. That is the craft of zero-click attacks that spyware vendors master.
In contrast, spyware like DarkSword (adapted for financial heists) can also breach devices by directing users to websites that hide malicious code within the HTML, specifically in iFrames.
![Shared by Lookout: HTML content of the DarkSword File Receiver endpoint previously located on sqwas.shapelie[.]com. This is the code hidden in iFrame that DarkSword was identified using in its campaigns.](https://moonlock.com/2026/03/HTML-content-of-the-DarkSword-File-Receiver-endpoint-previously-located-on-sqwas.shapelie.com_.webp)
Similar techniques have been adopted by bad actors who develop other types of malware. For example, in March 2026, the GhostPoster malicious browser extension apps, downloaded by about 1 million users and initially found on the official Chrome, Firefox, and Edge stores, breached user devices by simply loading a PNG logo image.
Meta did not share the specific technique or vulnerability that was used by this Pegasus campaign. It is highly likely that the digital forensic data will be shared by Meta with companies like Apple, which will use it to develop new security patches.
Once your iPhone is breached with malware like Pegasus, the threat will remain hidden, evade security detections, establish persistence, and create a communication channel to exfiltrate your data to an attacker-controlled server.
Spyware like Pegasus can access your camera, microphone, documents, data, and location. And, using a backdoor, it can run remote commands.
Malicious websites linked to the Pegasus campaign
While Meta did not reveal the specifics of the campaign, they did share some indicators of compromise (IoCs). In this case, these are the malicious sites used by Pegasus to breach devices.
The 3 malicious websites linked to this Pegasus campaign are:
- hxxps://ikhwancast[.]com
- hxxps://ghazacast[.]com
- hxxps://fr24cast[.]com
Three Pegasus malicious websites with some similarities
WHOIS data reveals that all the sites list the same privacy-redacted registered entity. More importantly, all 3 sites were created on September 13, 2025.
While this does not necessarily mean that this Pegasus campaign was live since then, it does indicate that the malicious infrastructure was in place or being built around that date. Today, all 3 sites are no longer live.
Besides registrant data and creation dates, the 3 sites share similarities in their names, with the use of the word “cast” present in all of them. These similarities are often used by threat actors in impersonation campaigns. The suffix “cast” is linked to online livestreams, feeds, podcasts, app development, news, streaming, or broadcast hubs, aligning with previous Pegasus campaigns uncovered by Citizen Lab, where threat actors posed as media when contacting users via WhatsApp.
Meta said these phishing texts were similar to ones reported in a Citizen Lab investigation in February 2024. In that Pegasus spyware campaign, as the screenshot at the end of the next section shows, threat actors impersonated news and media outlets when contacting users being targeted by spyware.
Meta said in its press release that the new Pegasus phishing campaigns were similar to the one reported by Citizen Lab and linked above.
Notably, online image searches for the term fr24 contained in the malicious Pegasus domain name (hxxps://fr24cast[.]com) show the France 24 media outlet as a top result.
Why should I care about sophisticated commercial spyware?
While commercial spyware is reportedly only used to target high-level individuals in sectors like government, opposition, human rights, and investigative journalism, the impact of the malware is broad.
There are reports that signal that commercial spyware like Pegasus has spread to the wider cybercriminal area and is more present on devices than originally believed.
In December 2024, iVerify reported that a scan of 2,500 iPhones revealed that 7 of them contained Pegasus spyware. This number is much higher than the number that would come up in the traditional narrative that commercial spyware is only reserved for very high-level targeting in isolated cases.
Besides the debatable availability of spyware on the dark web, there is the issue of security patches. In its recent press release, Meta explained that Apple had to patch more than 1 billion devices in 2021 due to a Pegasus exploit. Unfortunately, this was not a one-time event. This year alone, Apple has developed numerous spyware-linked patches for all its operating systems on a rather regular basis.
For example, we recently reported that Apple issued over 130 patches for all devices. Many of the patches in that release are linked to exploits that commercial spyware vendors use, especially WebKit exploits (targeting your browser engine).
Google Threat Intelligence Group also recently noted the high volume of vulnerabilities and exploits linked to spyware.
“For the first time since we began tracking zero-day exploitation, we attributed more zero-days to (commercial spyware vendors) CSVs than to traditional state-sponsored cyber espionage groups,” Google Threat Intelligence Group said.
“This illustrates the expansion of access to zero-day exploitation via these vendors to a wider array of customers than ever before,” their report concluded.
Are spyware vendors ever held accountable?
Courts do take action against spyware vendors. Let’s look into a recent example.
In December 2025, after hundreds of accounts in over 80 countries received spyware warnings, we reported on the zero-click Predator spyware developed by the company Intellexa. The event led to the “Predatorgate” scandal and opened up investigations in Greece and other European countries.
Fast-forward about 2 months, and the Spyware Accountability Initiative (SAI), to which Meta contributes, reported that on February 26, 2026, a court in Athens delivered a landmark verdict in the “Predatorgate” scandal. The Greek court sentenced executives of the spyware firm Intellexa to maximum prison terms for their role in the illegal deployment of Predator spyware, SAI reported.
In its recent press release, Meta urged US courts to hold NSO in contempt for violating a permanent injunction (issued in previous legal cases) that banned it from ever targeting WhatsApp and its users.
“The court was unequivocal: NSO violated federal and state laws against hacking,” said Meta. “Today, we’re asking the court to hold them in contempt of that order.”
Unfortunately, spyware goes well beyond Pegasus and Predator. While we will not dive deep into the world of commercial spyware vendors, it is important to note that the industry is booming. In a 2025 report, Recorded Future said that the size of the commercial spyware industry is unknown.
“One study identified 435 entities operating across 42 countries,” said Recorded Future. “However, this is likely a fraction of the total ecosystem, which includes holding companies, vendors, individual researchers, and investors.”
So, what can you do about spyware?
The fight against zero-click attacks and sophisticated malware may sound like an uphill battle, but there are still some things you can do to keep your devices safe.
Update all your devices and apps
As mentioned, Apple and other tech firms and developers are constantly developing new security patches to strengthen their systems and software specifically against spyware campaigns. As such, make sure to keep all your devices and apps up to date.
Here’s what WhatsApp advised its users
Besides encouraging people to update their devices and apps, Meta asked users to report suspicious activity so they can investigate and take action.
“For those who believe they may be targeted by sophisticated cyberattacks, we strongly recommend enabling strict account settings to harden their WhatsApp accounts even more,” said Meta.
Get Moonlock. It will keep your Mac clean of malware.
Whether it’s from iPhone mirroring or through stolen data, if your smartphone is breached by advanced spyware, your Mac is likely to quickly follow.
The Moonlock security app, through Real-Time Protection, will check every file you interact with. If the app finds anything suspicious, it will let you know what it is and why it is dangerous. It will then move the threat to Quarantine. There, you can take a closer look at the threats your Mac encountered and remove them for good.
The app is constantly updated to deal with new threats as they emerge, giving users protection even before companies like Apple issue patches.
The Moonlock app also comes with a built-in Scam Detector that can help you flag phishing messages just like the ones used in this Pegasus campaign. All you have to do is open the Scam Detector feature on the Moonlock app and copy and paste the message into it. The Scam Detector will report the likelihood of whether the message is associated with a scam, and why.
You can check out and test-drive Moonlock for free for 7 days.
Final thoughts
This is not the first time we have breaking news from Pegasus and other spyware operations, nor will it be the last. Fortunately, companies like Meta, Apple, Google, Microsoft, and others in the cybersecurity community are strongly committed to fighting this threat.
In addition to keeping an eye on how spyware evolves and how it can impact you, simple actions can help you keep your devices more secure. Follow the tips in this report to build up your cybersecurity awareness and strengthen your privacy posture.
This is an independent publication, and it has not been authorized, sponsored, or otherwise approved by Apple Inc or Meta Platforms, Inc. Mac and macOS are trademarks of Apple Inc. Meta and WhatsApp are trademarks of Meta Platforms, Inc.
