Recent “Ghost Calls” attacks exploit web conferencing tools for secret command and control operations.

A sophisticated new attack technique known as “Ghost Calls” exploits web conferencing platforms to establish covert command and control (C2) channels. Presented by Adam Crosser from Praetorian at Black Hat USA 2025, this groundbreaking research reveals how attackers can leverage the TURN protocol and legitimate conferencing infrastructure to bypass network security measures. The TURNt tool specifically targets major platforms such as Zoom, Microsoft Teams, and Google Meet, using TURN credentials obtained from legitimate sessions that typically remain valid for several days. By operating over standard ports like 443/TCP and 8801/UDP, the malicious traffic appears indistinguishable from normal video calls, effectively evading traditional network monitoring systems. This insidious attack method takes advantage of security recommendations from conferencing providers, which advocate for split-tunnelling VPN configurations and exemptions from TLS inspection to enhance performance.

The TURNt tool supports various communication modes, including SOCKS proxying and local and remote port forwarding, allowing it to establish connections through WebSockets over HTTPS and DTLS-SRTP encrypted channels. Network traffic analysis shows that the attack mimics standard WebRTC handshake processes, making it difficult to differentiate between legitimate and malicious traffic. Security experts caution that conventional network monitoring approaches are ineffective against Ghost Calls attacks, as they often yield high false positive rates due to the legitimate nature of the underlying protocols. To counter this threat, defenders are advised to implement canary tokens to detect early enumeration activities and focus on identifying proxied offensive tools, thereby enhancing their security posture against these sophisticated attacks.