New Ghost Calls tactic abuses Zoom and Microsoft Teams for C2 operations www.bleepingcomputer.com/news/secu…

A new post-exploitation command-and-control (C2) evasion method called ‘Ghost Calls’ abuses TURN servers used by conferencing apps like Zoom and Microsoft Teams to tunnel traffic through trusted infrastructure. Ghost Calls uses legitimate credentials, WebRTC, and custom tooling to bypass most existing defenses and anti-abuse measures, without relying on an exploit.

This new tactic was presented by Praetorian’s security researcher Adam Crosser at BlackHat USA, where it was highlighted that the new technique can be used by Red Teams when performing penetration emulation exercises. “We leverage web conferencing protocols, which are designed for real-time, low-latency communication and operate through globally distributed media servers that function as natural traffic relays,” reads the presentation’s briefing.