Amnesty said in a statement that its investigations showed that the malware had connections with more than 600 domain names, all of which had been previously identified as part of Pegasus.
The staffer in question, who is based in Saudi Arabia, received a suspicious WhatsApp message in June which included a malicious link.
The sender's number was that of a commercial provider which enables the sending of bulk SMS messages.
"These messages carried links to domains which we identified as part of that same network infrastructure used by NSO Group or its customers to deliver exploits and malware designed to silently harvest data from the victims’ phones," Amnesty said.
"This malware would allow an attacker complete access to the target’s phone or computer, essentially turning the device into a sophisticated eavesdropping and tracking tool to be used against them."
Amnesty found documentation on the NSO Group's site that described the kind of SMS messages its staffer had received as an "enhanced social engineering message".
Had the staffer clicked on the link in the SMS, he would have been connected through a network of anonymising nodes provided by NSO Group, which are designed to anonymise the final location of the Pegasus servers in a way that conceals the customer’s identity or origin.
Finally, the victim would end up at a server which would try to exploit his device and install the Pegasus malware.
Amnesty said it had identified two other characteristics that connected the message to the NSO Group. "One is evidence that connects the malicious links we received and collected with NSO Group network infrastructure that was previously discovered and publicly reported on by Citizen Lab.
"And, though more speculative, the second is a domain registration pattern showing that most of the domains in the NSO Group infrastructure were registered during Israeli working days and hours (where NSO is based)."
The rights organisation contacted NSO Group who said their product was meant to be used only for the investigation and prevention of crime and terrorism.
Amnesty said what it was doing — protecting human rights — was not a crime. "While law enforcement institutions in many countries have used secret surveillance in relation to national security objectives, Amnesty International as well as numerous other human rights organisations have documented cases where surveillance has been and continues to be carried out in a manner contrary to international human rights law - an important example being when people are targeted for surveillance based only on the exercise of their human rights," it said.
"In these cases, surveillance would amount to an 'arbitrary or unlawful' attack on their privacy or otherwise violate other human rights. Surveillance through the use of state-hacking tools such as those that NSO group provides is an extraordinarily invasive form of surveillance, and thus an especially problematic one under international human rights law and standards."