Ghost Calls: The Covert Web Conferencing Attack You Need To Know About

The landscape of cyber threats is in constant flux, with attackers consistently innovating to bypass established security protocols. A groundbreaking new attack technique, dubbed “Ghost Calls,” is set to redefine how we perceive command and control (C2) channels. Presented by Adam Crosser from Praetorian at Black Hat USA 2025, this research exposes how malicious actors can exploit seemingly benign web conferencing platforms to establish undetectable covert communication lines. For cybersecurity professionals, IT teams, and developers, understanding this sophisticated abuse of an everyday technology is paramount.

Understanding the Ghost Calls Mechanism

At its core, the Ghost Calls attack weaponizes legitimate web conferencing infrastructure. Traditional C2 channels often rely on custom protocols or unusual network traffic patterns, making them susceptible to detection by intrusion detection systems (IDS) and firewalls. Ghost Calls, however, operates by integrating seamlessly within the very fabric of web conferencing, leveraging protocols expected in such environments.

The key to this technique lies in the abuse of the Traversal Using Relays around NAT (TURN) protocol. TURN is a standard protocol used in real-time communication (RTC) applications, like video conferencing, to facilitate media relay when direct peer-to-peer connections are not possible due to network address translation (NAT) or firewalls. Attackers exploit TURN to create a highly effective, low-observable C2 channel. By masquerading as legitimate media traffic, the malicious communications blend in with the high volume of normal web conferencing data, making them incredibly difficult to differentiate from benign activity.

This method significantly elevates the stealth capabilities of attackers. Because the C2 traffic flows over established and trusted web conferencing platforms – often through corporate firewalls and proxies that whitelisted these services – it bypasses many traditional network security measures designed to detect anomalous traffic or suspicious external connections. This makes Ghost Calls a formidable threat for organizations heavily reliant on web conferencing for everyday operations.

Why Web Conferencing Platforms Are Prime Targets

Web conferencing platforms have become indispensable tools for remote work, collaboration, and even critical business operations. Their widespread adoption and the inherent trust placed in their services make them attractive targets for attackers. The Ghost Calls technique capitalizes on several critical factors:

• Ubiquity: Nearly every organization utilizes at least one web conferencing platform, providing a vast attack surface.
• Trusted Traffic: Network security often prioritizes the smooth flow of web conferencing traffic, making it a blind spot for C2 detection.
• Complex Protocols: The underlying protocols of RTC, like TURN, are complex, making deep packet inspection challenging for many security tools.
• Legitimate Infrastructure: Attackers piggyback on the robust, global infrastructure provided by major web conferencing providers, offloading the burden of maintaining their own C2 infrastructure.

Adam Crosser’s research at Black Hat USA 2025 highlights the ingenuity of this approach, demonstrating a shift in attacker methodologies towards exploiting the very tools designed for productivity and communication.

Remediation Actions and Mitigations

While the sophistication of Ghost Calls presents a challenge, several proactive measures can significantly reduce an organization’s susceptibility to such attacks:

• Enhanced Network Monitoring: Implement Deep Packet Inspection (DPI) capabilities and advanced behavioral analytics to identify subtle anomalies within web conferencing traffic, even if it appears legitimate. Look for unusual data patterns within TURN relay sessions.
• Zero Trust Architecture: Embrace a Zero Trust security model. Assume no user, device, or network segment is inherently trustworthy. Continuously verify identity and restrict access to the absolute minimum required.
• Segment Networks: Isolate critical assets and sensitive data within segmented network zones. Even if a Ghost Calls C2 channel is established, network segmentation can limit lateral movement.
• Endpoint Detection and Response (EDR): Deploy robust EDR solutions on all endpoints. EDR tools can detect post-exploitation activities, even if initial C2 communications are stealthy. Look for unusual process behavior, file modifications, or outbound connections from web conferencing client processes that deviate from normal operation.
• Regular Security Audits and Penetration Testing: Conduct frequent audits of web conferencing configurations and engage in penetration testing specifically designed to probe for covert channels and C2 bypasses.
• Employee Awareness Training: Educate employees about the dangers of social engineering, phishing, and the importance of secure web conferencing practices. Compromise of an endpoint is often the precursor to C2 establishment.
• Patch Management: Ensure that all web conferencing client applications and underlying operating systems are kept up-to-date with the latest security patches. While Ghost Calls exploits protocol design, vulnerabilities in implementations could still be a vector.

Relevant Tools for Detection and Mitigation

Implementing a comprehensive security strategy requires the right tools. Here is a table outlining useful categories and examples:

Tool Category	Purpose	Example Tools (Note: Some are broad categories)
Next-Generation Firewalls (NGFW)	Advanced threat prevention, application control, and deep packet inspection.	Palo Alto Networks Next-Gen Firewall, Fortinet FortiGate
Network Detection and Response (NDR)	Real-time network traffic analysis, anomaly detection, and threat hunting.	Vectra AI, ExtraHop, Darktrace
Endpoint Detection and Response (EDR) / Extended Detection and Response (XDR)	Detect and investigate suspicious activities on endpoints and across the IT stack.	CrowdStrike Falcon, Microsoft Defender for Endpoint, SentinelOne
Security Information and Event Management (SIEM)	Centralized logging, correlation of security events, and alerting.	Splunk, IBM QRadar, Elastic SIEM
Vulnerability Management Platforms	Identify and manage vulnerabilities in systems and applications.	Tenable.io, Qualys, Rapid7 InsightVM

Conclusion

The “Ghost Calls” attack represents a sophisticated evolution in covert command and control methodologies, demonstrating attackers’ relentless pursuit of innovative bypass techniques. By exploiting the very protocols that enable modern web conferencing – particularly the TURN protocol – this research highlights a critical new blind spot for network security. Organizations must adapt their defenses, moving beyond traditional perimeter-based security to embrace multi-layered approaches that include advanced network visibility, robust endpoint protection, and a pervasive Zero Trust philosophy. Staying informed about cutting-edge threats like Ghost Calls is not merely beneficial; it is essential for maintaining a resilient cybersecurity posture in an ever-changing threat landscape.