Ghost Calls: Hackers Exploit Zoom & Teams for Stealthy C2 Attacks

At TecnetOne, we stay alert to new tactics cyber attackers use to bypass defenses. Today, we want to highlight a lesser-known yet ingenious threat: Ghost Calls.

This technique doesn’t exploit a vulnerability. Instead, it abuses trusted video conferencing protocols — like Zoom and Microsoft Teams — to conceal malicious traffic. Yes, you read that right: your everyday collaboration tools may be used to camouflage command-and-control (C2) operations.

Here’s how the tactic works, the risks it poses, and what you can do to secure your business environment.

What Is Ghost Calls and Why Is It Concerning?

Ghost Calls is a post-exploitation evasion technique that uses TURN (Traversal Using Relays around NAT) servers — commonly found in tools like Zoom and Teams — to create encrypted channels between the attacker and the compromised system.

Instead of launching direct attacks, adversaries use legitimate video conferencing infrastructure as a communication tunnel, staying completely under the radar.

“Malicious traffic is disguised as just another online meeting.”— Research summary by Adam Crosser, presented at Black Hat USA 2025

How Ghost Calls Works Technically

Abusing the TURN Protocol

TURN is a protocol used in VoIP, WebRTC, and video calls. It enables devices behind firewalls (like most corporate networks) to establish connections.

When you join a Zoom or Teams meeting, your device obtains temporary TURN credentials to route audio and video.

Ghost Calls reuses those credentials to create a secure WebRTC tunnel between the compromised device and the attacker.

Traffic Masquerading as Legitimate Meetings

That encrypted tunnel can be used to:

1. Send and receive malicious data

1. Exfiltrate sensitive information

1. Remotely execute commands as if the attacker were inside the network

All of this traffic passes through legitimate Zoom or Teams domains and IP addresses, which makes it nearly invisible to firewalls or proxies.

Local port forwarding via Ghost Calls (Source: Praetorian)

Why Is It So Hard to Detect?

Ghost Calls takes advantage of tools and services you already use and trust, giving attackers multiple advantages:

1. Perfect camouflage: Blends in with real meeting traffic

1. No malicious domains: Uses infrastructure already whitelisted in your network

1. WebRTC encryption: Prevents deep packet inspection, even with TLS inspection

1. Standard ports (443): Same as regular HTTPS traffic

1. Low latency and high speed: Suitable for real-time operations like VNC

Compared to traditional C2 methods (often slow and noisy), Ghost Calls is stealthy, fast, and highly effective.

What Tools Are Attackers Using?

Researcher Adam Crosser from Praetorian developed an open-source tool called TURNt, available on GitHub, to demonstrate this technique.

TURNt consists of two components:

1. Controller: Runs on the attacker’s side and acts as a SOCKS proxy server

1. Relay: Installed on the compromised machine and connects to the controller via TURN, creating a WebRTC channel

With this setup, attackers can:

1. Redirect local and remote ports

1. Tunnel VNC traffic

1. Exfiltrate real-time data

1. Maintain stealthy and persistent communication

Learn more: North Korean Hackers Use Deepfakes on Zoom to Infect Macs

Does This Mean Zoom or Teams Are Insecure?

Not exactly. Ghost Calls doesn’t exploit a vulnerability in the software. Instead, it abuses the normal design and trust model of these platforms.

It’s a trust abuse tactic: the attacker leverages tools already allowed and enabled on your network to move laterally without raising suspicion.

Both Zoom and Microsoft were contacted for comment. As of publication time, no public response has been issued.

What Risks Does This Pose to Your Organization?

In a corporate environment, Ghost Calls can have severe consequences if you’re not prepared:

1. Loss of network visibility: Malicious traffic hides in normal flows

1. Undetected persistence: Attackers can maintain remote access without alerts

1. Silent exfiltration of sensitive data

1. Lateral access to internal systems

And all this can occur even if you have firewalls, EDRs, and proxies in place, because Ghost Calls hides behind legitimate-looking traffic.

SOCKS proxying on TURNt (Source: Praetorian)

How to Protect Yourself

At TecnetOne, we recommend a combination of technical and operational controls to defend against this advanced tactic:

Segment WebRTC Traffic

Restrict WebRTC usage to authorized devices and users, especially if not everyone needs it for their role.

Audit TURN/STUN Usage

Inventory all TURN and STUN servers allowed in your network. Block any that don’t come from trusted providers.

Deploy Network Detection and Response (NDR)

Traditional monitoring tools won’t catch this. Use behavioral detection solutions that can identify suspicious traffic — even when encrypted and using legitimate domains.

Review Suspicious Interactive Sessions

Look for meetings initiated after hours, with no visible participants, or from unusual locations.

Use Context-Based Detection and Zero Trust

Implement policies where every request (even over trusted channels) is validated by context: user, device, location, and behavioral patterns.

Also of interest: Microsoft Teams: April 2025 News and Updates

Conclusion: Even Trust Can Be Exploited

Ghost Calls is a prime example of how attackers now target trust instead of code.

Instead of finding bugs, they infiltrate the very tools you rely on for daily communication.

That’s why a modern cybersecurity strategy must include:

1. Full visibility of encrypted traffic

1. Application and protocol-level control

1. Continuous behavior-based monitoring

1. IT team awareness and training on advanced threats

Protecting your business is no longer just about having antivirus software. It’s about understanding how modern attackers operate — and staying one step ahead with smart, proactive defenses.