A sophisticated new command-and-control (C2) evasion method dubbed Ghost Calls is exploiting fundamental infrastructure in collaboration platforms like Zoom and Microsoft Teams, allowing attackers to hide malicious traffic in plain sight. Presented at BlackHat USA by Praetorian researcher Adam Crosser, the technique abuses the TURN protocol (Traversal Using Relays around NAT)—a legitimate mechanism enabling real-time communication across firewalls—to create stealthy bidirectional tunnels.

How Trusted Infrastructure Becomes an Attack Vector

When users join Zoom or Teams meetings, clients receive temporary TURN credentials to relay media through providers' globally distributed servers. Ghost Calls weaponizes these credentials to establish WebRTC data channels between compromised hosts and attacker controllers. Crucially, this requires no software vulnerability—only valid credentials harvested post-exploitation.

Article illustration 1

Legitimate conferencing infrastructure becomes an unwitting accomplice to malicious tunneling (Source: BleepingComputer)

Evasion Mechanics: Why Defenses Fail

  • Blending with Legitimate Traffic: TURN traffic flows through Microsoft/Azure and Zoom IP ranges—domains explicitly trusted by enterprise firewalls
  • Encryption by Design: WebRTC’s mandatory encryption (DTLS/SRTP) prevents TLS inspection from detecting payloads
  • Performance Advantages: UDP/TCP over port 443 provides lower latency than traditional C2 channels, enabling real-time VNC operations
  • Infrastructure Obfuscation: Attackers never expose their own servers, routing all traffic through victim-approved services

The TURNt Toolchain: Weaponizing the Technique

Crosser released TURNt—an open-source toolkit enabling:
- SOCKS5 proxying for arbitrary traffic tunneling
- Local/remote port forwarding
- Encrypted data exfiltration
- Interactive VNC session masking

The architecture uses two components:
1. Controller: Attacker-side SOCKS proxy managing TURN credentials
2. Relay: Implant on compromised host establishing WebRTC channels

Article illustration 3

TURNt's SOCKS proxying mechanism routing traffic through TURN servers (Source: Praetorian)

Implications for Enterprise Security

This technique fundamentally undermines trust-based defenses:
- Network Security: Perimeter defenses can’t block essential conferencing infrastructure
- Detection Challenges: Behavioral analysis must distinguish malicious sessions from legitimate brief meetings
- Credential Hygiene: Stolen session tokens become critical attack enablers

Microsoft and Zoom face pressure to implement safeguards like tighter credential validity windows or anomaly detection in TURN usage—though any restrictions risk breaking legitimate functionality. For now, defenders must assume trusted services can be weaponized, shifting focus to endpoint monitoring and strict credential rotation.

As collaboration tools become infrastructure, their protocols inevitably become attack surfaces. Ghost Calls demonstrates that in modern security, the most trusted paths often carry the greatest danger.