Executive Summary
In early 2026, WhatsApp introduced a new 'Strict Account Settings' feature to defend high-risk users such as journalists and public figures against highly targeted spyware attacks. This rollout followed a series of incidents in recent years where advanced zero-click exploits—many attributed to government-linked actors—were used to deploy spyware like NSO Group’s Pegasus and Paragon Graphite onto users’ devices via messaging platforms. Exploits leveraged zero-day vulnerabilities in WhatsApp’s iOS and macOS clients, enabling attackers to compromise devices without user interaction, raising severe risks to privacy and personal safety for individuals facing nation-state targeting.
This event is particularly relevant as threat actors increasingly adopt sophisticated, zero-click methods to compromise high-value targets. Security and privacy expectations for messaging apps are under heightened scrutiny, with regulators and civil society urging greater protections and rapid incident response to curtail such threats.
Why This Matters Now
State-sponsored spyware campaigns continue to evolve, targeting both organizations and individuals through widely used messaging apps. Zero-click exploits remain an urgent threat to civil society, business leaders, and journalists, making the deployment of advanced, user-centric safeguards like WhatsApp’s lockdown features both timely and essential.
Attack Path Analysis
A threat actor exploited a zero-day vulnerability in WhatsApp to achieve remote initial compromise of high-risk users' mobile devices via zero-click spyware delivery. Upon establishing a foothold, the attacker leveraged the malware's capabilities to escalate privileges locally, bypassing standard OS controls. The spyware then moved laterally within the device to access sensitive files and potentially targeted other linked messaging applications. Next, the malware established encrypted command and control channels to receive attacker instructions. Sensitive data, including chats, media, and account details, was exfiltrated using covert channels to the attacker's infrastructure. The incident resulted in exposure of private communications, loss of sensitive information, and possible reputational impact for targeted individuals.
Kill Chain Progression
Initial Compromise
Description
Attackers leveraged a zero-click exploit targeting a WhatsApp zero-day vulnerability to silently deliver spyware to the victim's mobile device.
Related CVEs
CVE-2025-55177
CVSS 5.4An incomplete authorization vulnerability in WhatsApp's linked-device synchronization mechanism allows remote attackers to force a device to process malicious content from arbitrary URLs without user interaction.
Affected Products:
Meta WhatsApp for iOS – < 2.25.21.73
Meta WhatsApp Business for iOS – < 2.25.21.78
Meta WhatsApp for Mac – < 2.25.21.78
Exploit Status:
exploited in the wildCVE-2025-43300
CVSS 10An out-of-bounds write vulnerability in Apple's Image I/O framework allows remote attackers to execute arbitrary code via crafted image files.
Affected Products:
Apple iOS – < 18.6.2
Apple iPadOS – < 18.6.2
Apple macOS Sequoia – < 15.6.1
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
This mapping highlights key MITRE ATT&CK techniques observed or implicated in spyware attacks like those targeting WhatsApp, and is suited for SEO, filtering, or further analysis with expanded STIX/TAXII enrichment.
Stage Capabilities: Upload Malware
Drive-by Compromise
Exploitation for Client Execution
Forge Web Credentials: Web Session Cookie
Input Capture: Keylogging
Device Unlock and Lock
Deobfuscate/Decode Files or Information
Data from Local System
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Multi-factor authentication for all access
Control ID: 8.3.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Art. 9
CISA Zero Trust Maturity Model 2.0 – Strong Authentication & Least Privilege
Control ID: Identity Pillar – Pillar 3
NIS2 Directive – Technical and Organizational Measures – Access Controls
Control ID: Art. 21(2)(a)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Newspapers/Journalism
Journalists face sophisticated spyware attacks via WhatsApp exploiting zero-click vulnerabilities, requiring strict account settings and encrypted communications protection.
Government Administration
Government officials targeted by state-sponsored spyware through messaging platforms, necessitating enhanced zero-trust segmentation and threat detection capabilities.
Political Organization
Political figures vulnerable to Pegasus-style surveillance attacks via WhatsApp zero-days, demanding lockdown security features and anomaly detection systems.
Human Resources/HR
HR departments managing high-risk personnel communications require egress security controls and encrypted traffic protection against sophisticated cyber campaigns.
Sources
- New WhatsApp lockdown feature protects high-risk users from hackershttps://www.bleepingcomputer.com/news/security/whatsapp-gets-new-lockdown-feature-that-blocks-cyberattacks/Verified
- WhatsApp fixes 'zero-click' bug used to hack Apple users with spywarehttps://techcrunch.com/2025/08/29/whatsapp-fixes-zero-click-bug-used-to-hack-apple-users-with-spyware/Verified
- WhatsApp Flaw Exploited Alongside Apple Zero-Day in Spyware Attackshttps://cyberinsider.com/whatsapp-flaw-exploited-alongside-apple-zero-day-in-spyware-attacks/Verified
- CISA Flags WhatsApp Zero-Day Vulnerability Exploited in Zero-Click Spyware Attackshttps://www.clearphish.ai/news/cisa-whatsapp-zero-day-vulnerability-2025Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
This incident highlights the importance of Zero Trust segmentations, workload isolation, and egress policy enforcement to constrain remote compromise, privilege escalation, and data exfiltration in cloud-connected mobile environments. Applying CNSF controls could limit attacker access between services, curb unauthorized elevation, and block malicious outbound traffic.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: Detection and segmentation may have limited initial remote exploit exposure.
Control: Zero Trust Segmentation
Mitigation: Further privilege gains could have been detected or isolated.
Control: East-West Traffic Security
Mitigation: Unauthorized access between apps and services could have been restricted.
Control: Multicloud Visibility & Control
Mitigation: Anomalous outbound C2 flows could have been detected or blocked.
Control: Egress Security & Policy Enforcement
Mitigation: Egress policy could have prevented or alerted on sensitive data exfiltration.
Incident impact could likely have been reduced if earlier controls constrained attacker activities.
Impact at a Glance
Affected Business Functions
- Messaging Services
Estimated downtime: N/A
Estimated loss: N/A
Potential exposure of sensitive user data, including messages and media, due to unauthorized access facilitated by the vulnerabilities.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce inline IPS at all possible ingress/egress points to detect and block exploit attempts leveraging messaging applications.
- • Deploy granular east-west segmentation and zero trust network policies to contain compromised endpoints and limit lateral movement.
- • Implement robust egress firewall policies to restrict devices and workloads from reaching unauthorized internet destinations, especially for command and control and data exfiltration vectors.
- • Mandate encryption of all sensitive data in transit, including between workloads and to/from the internet, using strong protocols such as MACsec and IPsec.
- • Establish continuous anomaly detection and incident response plans to enable rapid discovery and containment of abnormal network behaviors related to spyware operations.
