New Ghost Calls Attack Abuses Web Conferencing for Covert Command & Control

A sophisticated new attack technique called “Ghost Calls” exploits web conferencing platforms to establish covert command and control (C2) channels. 

Presented by Adam Crosser from Praetorian at Black Hat USA 2025, this groundbreaking research demonstrates how attackers can leverage the TURN protocol and legitimate conferencing infrastructure to bypass network security measures.

Key Takeaways
1. TURNt tool exploits the TURN protocol from Zoom/Teams/Meet to create hidden command & control channels.
2.  Uses legitimate conferencing ports and benefits from corporate TLS inspection exemptions
3. Encrypted traffic appears identical to normal video calls, defeating traditional network monitoring

The attack utilizes a newly developed tool called TURNt (TURN tunneler), which abuses the TURN (Traversal Using Relays around NAT) protocol commonly used by web conferencing applications. 

TURN servers, essential for WebRTC communications, enable peer-to-peer connections through firewalls and NAT devices. 

The tool targets explicitly major platforms, including Zoom (55.91% market share), Microsoft Teams (32.29%), and Google Meet (5.52%).

TURNt operates by obtaining TURN credentials from legitimate web conferencing sessions, which typically remain valid for several days. These credentials use the format:

The attack leverages standard ports like 443/TCP for TLS connections and 8801/UDP for media traffic, making detection extremely challenging as this traffic appears identical to legitimate video conferencing.

What makes Ghost Calls particularly insidious is how it exploits security recommendations from conferencing providers themselves, reads the presentation.

Both Zoom and Microsoft Teams officially recommend split-tunneling VPN configurations and exemptions from TLS inspection to optimize performance. 

Microsoft’s documentation explicitly states: “We recommend that Teams traffic bypasses proxy server infrastructure, including SSL inspection.”

The attack supports multiple communication modes, including SOCKS proxying, local and remote port forwarding, and can establish connections through WebSockets over HTTPS, DTLS-SRTP encrypted channels, and custom protocols over both TCP/443 and UDP/8801. 

Network traffic analysis reveals standard WebRTC handshake processes with DTLS encryption, making malicious traffic indistinguishable from legitimate conferencing data.

Mitigations

Security experts warn that traditional network monitoring approaches prove ineffective against Ghost Calls attacks. 

The research emphasizes that focusing on traffic volume correlation or process-to-destination mapping yields high false positive rates due to the legitimate nature of the underlying protocols.

Instead, defenders should implement canary tokens to detect early enumeration activities and focus on identifying proxied offensive tools like Impacket or secretsdump.py rather than monitoring the communication channel itself. 

The attack’s sophistication lies in its ability to blend seamlessly with enterprise-approved traffic patterns, making it a significant concern for cybersecurity professionals.

The TURNt tool has been released as open-source software, enabling security researchers to better understand and develop countermeasures against this emerging threat vector.

Equip your SOC with full access to the latest threat data from ANY.RUN TI Lookup that can Improve incident response -> Get 14-day Free Trial