Ghost Calls Exploit Web Conferencing for Stealthy Command & Control

A powerful new method of short-term covert command-and-control (C2) using mainstream web-conferencing services.

Dubbed “Ghost Calls,” this technique repurposes real-time communication protocols—built for low-latency audio and video streaming—as a high-bandwidth, interactive C2 channel that seamlessly blends into an organization’s normal network traffic.

At Black Hat USA 2025, Praetorian security engineer Adam Crosser introduced TURNt, an open-source tool that automates Ghost Calls to reduce detection risk and accelerate operations requiring rapid data exchange.

Traditional long-term covert channels prioritize stealth and persistence but often lack the throughput and responsiveness needed for interactive tasks such as SOCKS proxying, network pivoting, or remote desktop sessions.

Ghost Calls sidestep these limitations by tunneling command traffic through media servers operated by web-conferencing platforms like Zoom and Microsoft Teams.

These servers are globally distributed and optimized for real-time voice and video, offering built-in relay infrastructure that naturally obfuscates malicious communications.

Because many enterprises whitelist conferencing traffic and exempt it from TLS inspection to preserve call quality, adversaries can transmit large volumes of data over encrypted channels with minimal risk of network-layer detection.

Key to this innovation is the TURN (Traversal Using Relays around NAT) protocol, which negotiates relay servers for WebRTC media when direct peer-to-peer connections fail.

TURNt automates the retrieval of valid TURN credentials from compromised conferencing accounts—credentials that often remain valid for days and function across multiple sessions.

Once obtained, an operator can establish a covert tunnel that mimics an active video call, forwarding arbitrary traffic across the victim network.

In live demonstrations, Crosser’s team achieved sustained 100 MB file transfers and executed remote port-forwarding via Teams TURN servers, all while standard monitoring tools logged only benign conferencing flows.

TURNt: Automated Credential Harvesting

TURNt streamlines the Ghost Calls workflow into a lightweight command-line utility. After deploying a short-lived implant on a target host, it silently extracts TURN credentials by interacting with the conferencing provider’s client API.

Because conferencing applications routinely request these credentials in the background to ensure seamless user experience, no explicit user interaction or meeting creation is required.

TURNt then launches the relay tunnel alongside a persistent, low-bandwidth C2 channel to orchestrate longer-term implants.

During tunnel operation, the tool generates traffic that is statistically indistinguishable from legitimate conferencing data, leveraging encrypted WebSockets or custom protocols over ports 443/TCP and 8801/UDP to reach the media servers.

By design, TURNt’s core binaries occupy just a few megabytes, and future work aims to reduce the footprint below 1 MB by rewriting in C/C++.

Deploying canary tokens in credential repositories (Slack, GitHub, SharePoint) may also expose reconnaissance before tunneling commences.

This optimization would improve operational stealth and compatibility with constrained environments such as ephemeral containers or heavily restricted endpoints.

Moreover, Crosser highlighted the extensibility of Ghost Calls: any provider exposing TURN for WebRTC can serve as a covert conduit, inviting research into additional platforms beyond Zoom and Teams.

Detection Challenges

Detecting Ghost Calls presents formidable challenges: TLS inspection bypass, whitelisted IP ranges, and encrypted payloads all conspire to mask malicious traffic as routine conferencing.

According to Report, Ghost Calls underscore the need for security teams to reexamine trusted collaboration services as potential C2 vectors.

Traditional network-layer indicators—such as raw volume spikes or unusual port usage—yield low signal-to-noise ratios amid legitimate collaboration activity.

Instead, Crosser recommends defenders shift focus to higher layers of the kill chain. Monitoring for anomalous process behavior—such as unrecognized binaries invoking conferencing APIs or unauthorized use of TURN credential endpoints—can reveal proxy-based tooling.

While performance optimizations in conferencing platforms enable seamless user experience, they simultaneously open a stealthy channel for high-speed, short-duration intrusions.

As TURNt and similar tools mature, defenders must adapt by combining application-layer visibility, behavioral analytics, and credential security to detect and mitigate this evolving threat.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.