A novel command-and-control (C2) evasion method, termed “Ghost Calls,” has emerged as a significant threat in post-exploitation scenarios. This innovative technique exploits TURN (Traversal Using Relays around NAT) servers operated by leading communication platforms such as Zoom and Microsoft Teams, enabling attackers to tunnel malicious traffic through infrastructure that is inherently trusted by most organizations. The stealth and sophistication of this approach pose unique challenges to traditional security defenses.
How Ghost Calls Operates
Ghost Calls is founded on the legitimate functionalities of TURN servers, which facilitate connectivity for video conferencing and VoIP applications, especially when devices are located behind corporate firewalls or NAT devices. Typically, when a client participates in a video call, conferencing platforms generate temporary TURN credentials to establish the necessary network pathways.
Attackers take advantage of this process by hijacking these temporary credentials—without exploiting any underlying software vulnerabilities. By authenticating with these credentials, they establish a TURN-based WebRTC tunnel between the compromised device and their own command system. The result is that all C2 traffic is seamlessly routed through encrypted WebRTC channels, effectively disguising malicious communication as legitimate conferencing data.
Since this network activity originates from genuine conferencing servers and leverages standard protocols, it easily blends into routine enterprise traffic. The malicious commands and data exfiltration are carried out using encrypted communications that are often indistinguishable from ordinary business traffic and are unlikely to trigger conventional security alerts.
A key part of this technique is the use of specialized tooling. Security researcher demonstrations have showcased custom utilities that facilitate the proxying of C2 traffic through these conferencing vendors’ TURN servers. The typical setup involves a Controller (operated by the attacker) and a Relay (deployed on the compromised endpoint), enabling a range of functions such as SOCKS proxying, port forwarding, stealthy data exfiltration, and even covert VNC access.
Why Ghost Calls Is So Effective
The primary strength of the Ghost Calls technique lies in its use of trusted infrastructure. Because conferencing platforms like Zoom and Teams are essential to business operations, their domains and IP addresses are globally whitelisted in most organizations. Consequently, traffic that is relayed through these services is rarely subject to deep inspection or aggressive blocking.
Further compounding the challenge for defenders is the inherent encryption provided by WebRTC, which secures the communication channels end-to-end. As a result, attempts to inspect or analyze the content of these streams are largely ineffective. Moreover, the approach supports real-time, interactive C2 operations—making it highly agile and responsive compared to many traditional covert channels.
Implications for Red Teams and Threat Actors
While Ghost Calls was initially designed to empower red teams and penetration testers—enabling them to emulate sophisticated adversaries—the technique’s potential for malicious use is clear. Any attacker capable of acquiring the requisite TURN credentials on a target network can weaponize this method, making it a potential vector for advanced persistent threats.
Defensive Considerations and Mitigation
Defending against Ghost Calls is particularly complex, as the method does not rely on software bugs or vulnerabilities in conferencing platforms themselves. Instead, mitigation requires a focus on monitoring for anomalies in conferencing service usage, scrutinizing the issuance of TURN credentials, and analyzing WebRTC traffic directed at conferencing vendors’ infrastructure. Organizations may need to collaborate closely with conferencing providers to develop and implement additional safeguards as the landscape evolves.
