New Delhi: Less than eight months after securing a landmark injunction against Israeli spyware maker NSO Group, WhatsApp and its parent company Meta have returned to a US court alleging that NSO violated the order almost immediately and continued to use the messaging platform to support Pegasus spyware operations.In a contempt motion filed before the US District Court for the Northern District of California on Monday (June 8, 2026), Meta told the court that “clear and convincing evidence shows that NSO began violating this Court’s injunction almost immediately and continues violating it today”. The company has asked judge Phyllis Hamilton to hold NSO in civil contempt and impose escalating fines until it complies with the court’s order.The filing marks the latest chapter in the long-running legal battle that began in 2019 when WhatsApp accused NSO of exploiting its platform to deploy Pegasus spyware against approximately 1,400 users worldwide.Last October, Judge Hamilton granted WhatsApp a permanent injunction after finding NSO liable for violating US anti-hacking laws and breach of contract by using WhatsApp’s infrastructure to deploy Pegasus spyware.The injunction, which became enforceable on January 28 this year, barred NSO from creating WhatsApp accounts, using technology that interacts with the platform and maintaining customer access to systems that depend on WhatsApp. It also required the company to delete code and technologies linked to WhatsApp and disable customer access to them.According to Meta, NSO nevertheless continued operating on WhatsApp after the injunction took effect.“Since the injunction went into effect on January 28, 2026, NSO has engaged in two categories of conduct that the injunction prohibits,” the filing stated. “First, NSO created and operated accounts on the WhatsApp platform, using them to set up groups for ‘testing’. Second, in February and April 2026, NSO used WhatsApp to send one-click malicious URL links to targeted WhatsApp users.”Meta’s threat intelligence team claimed that it identified at least 23 WhatsApp accounts and 34 WhatsApp groups linked to NSO that were created between January 28 and early June 2026. Of those, more than 20 were identified as “testing groups” used to “demonstrate, test or confirm functionality of the spyware”.In a declaration accompanying the motion, Meta security engineer Andrew Blaich said the groups appeared across at least 13 countries and frequently used names such as “Tests in Guinea 25.02.2026”, “Tests in Tanzania 11.2.2026”, “Tests in Senegal 26.03.2026”, “Tests in Mali 10.03.2026”, “Tests in El Salvador 27.03.2026”, “Tests in Yemen 20.04.2026” and “Tests in Somalia 7.5.26”. According to Meta, the naming convention matched patterns previously associated with NSO’s internal testing operations.The filing also cites a user report involving an image allegedly sent by one of the accounts on February 4. According to Blaich, the photograph depicted “a desktop mat displaying the NSO Group logo”, which Meta said was consistent with indicators it had previously used to identify NSO-linked activity.Meta argues that such conduct falls squarely within the activity the court intended to prohibit.Citing the US federal judge’s injunction ruling, the company noted that “while it may remain legal to create new WhatsApp accounts and to use WhatsApp, the facts in this case show that such activities have been used as a precursor to illegal activities”. The motion adds that NSO’s continued operation of testing accounts is “the precursor conduct the injunction was entered to reach”.Spyware delivery campaigns after injunctionThe second category of alleged violations was of spyware delivery campaigns conducted after the injunction took effect.According to the filing, between February 3 and February 7, an NSO customer using infrastructure operated by the company sent one-click malicious links to WhatsApp users. A second campaign allegedly took place between April 13 and April 19. Meta said the links used domains identified as “ghazacast[.]com” and “ikhwancast[.]com”, which investigators linked to a larger cluster of websites previously associated with NSO’s spyware delivery infrastructure.Meta told the court that “each URL was designed so that, if the target clicked the link, malware would attempt to download and install on the device”. The links were allegedly delivered through WhatsApp messages and were identified through reports submitted by users through the platform’s reporting mechanism.Meta says this image of a desktop mat displaying the NSO Group logo is corroborating evidence that a WhatsApp account reported by a user was linked to NSO. Photo: Meta court filings.Blaich said Meta attributed both campaigns to NSO “with high confidence”. The declaration cites the domains used, their technical behaviour, impersonation techniques and continuity with previous Pegasus operations. According to Meta, the activity appeared to be “a continuation of activity that began before November 12, 2025”.The company also rejected any suggestion that responsibility lay solely with NSO’s government customers.“NSO does not avoid the injunction by routing the final transmission through a customer,” the motion stated. “The injunction reaches NSO’s provision of the platform-interacting infrastructure, whoever sends the message.”Meta’s filing repeatedly links the latest allegations to findings already made during the underlying lawsuit. It notes that the court previously found that NSO had “redesigned Pegasus to evade detection after plaintiffs first fixed the security breach” and made “repeated efforts to circumvent plaintiffs’ security measures”. The company argues that those findings were central to the decision to issue the injunction in the first place.The motion further argues that the alleged violations cannot be explained by confusion about the scope of the order. It noted that shortly after the injunction was entered, NSO’s chief executive submitted a declaration stating that the company’s “prior testimony that NSO no longer has any installation vectors for Pegasus that use WhatsApp, WhatsApp’s servers or WhatsApp’s client application remains accurate”. Meta argues that the conduct uncovered since then undermines those assurances.Meta says stronger measures against NSO are requiredThe filing goes on to accuse NSO of a pattern of non-compliance during the litigation, alleging that the company had “resisted and evaded this Court’s authority”, made representations later contradicted by evidence and failed to produce material ordered by the court.Meta argues that stronger measures are now necessary because previous court orders have failed to secure compliance.“Lesser sanctions and ordinary court orders have not produced compliance with this Court’s prior directives,” the motion states. “There is no reason to expect a different result here without a sanction calibrated to NSO’s demonstrated willingness to disregard the Court’s order,” it says.The company has asked the court to find NSO in contempt of paragraphs 3(a), 3(d) and 4 of the injunction, impose escalating daily fines until compliance is achieved and require the company to identify every WhatsApp account and IP address it currently uses to interact with the platform. Under Meta’s proposed order, NSO would also have to provide certifications under penalty of perjury from its chief executive officer and executive chairman confirming full compliance before sanctions could be lifted.Days before the October 2025 injunction, NSO confirmed that a US investor group had acquired a controlling stake in the company, although the Pegasus maker remains subject to Israeli regulatory oversight.The Pegasus spyware has been linked to surveillance of journalists, activists, politicians, diplomats and civil society figures around the world. In India, WhatsApp informed the government in 2019 that 121 Indian users had been targeted. In 2021, The Wire was part of an international media consortium that reported on a leaked database of potential Pegasus targets that included journalists, opposition politicians, activists and government officials. The Indian government has repeatedly declined to confirm or deny whether it acquired or used Pegasus spyware.