DefenseCybersecurity

Black Hat USA 2025 | Ghost Calls: Abusing Web Conferencing for Covert Command & Control

Black Hat
Black HatApr 1, 2026

Why It Matters

Web‑conferencing platforms provide a trusted, low‑latency conduit that attackers can weaponize for stealthy C2, forcing enterprises to rethink inspection policies for real‑time media traffic.

Key Takeaways

  • Web conferencing traffic offers low latency, high throughput C2.
  • Short‑term C2 demands low latency, high bandwidth, broad reach.
  • Zoom, Teams, Meet bypass proxies via WebRTC and TURN relays.
  • Vendors whitelist conferencing traffic, reducing inspection and detection.
  • Researchers can repurpose conferencing protocols for covert command channels.

Summary

The Black Hat USA 2025 talk introduced “ghost calls,” a technique that hijacks commercial web‑conferencing platforms to create covert, short‑term command‑and‑control (C2) channels. Presenter Adam Crosser explained that traditional C2 methods—socks proxies, long‑term implants, or peer‑to‑peer tunnels—often suffer from latency, limited reach, or lack of trust within tightly controlled enterprise networks. He argued that an ideal short‑term C2 must combine low latency, high throughput, broad reach, and use of trusted, allow‑listed infrastructure.

Crosser evaluated several candidate vectors—DNS‑over‑HTTPS, cloud file storage, custom domains, and messaging apps—against these criteria, finding each lacking in either latency, throughput, or trust. Web‑conferencing services, however, are engineered for real‑time human interaction, delivering sub‑second latency and multi‑megabit bandwidth while being universally permitted and exempted from deep packet inspection in most corporate VPN and proxy configurations. This makes them a perfect fit for rapid, stealthy C2 payload delivery.

The speaker dissected the underlying protocols, showing how Zoom, Microsoft Teams, and Google Meet employ WebRTC, STUN/TURN relays, and custom RTP wrappers. He demonstrated that when direct UDP egress is blocked, these clients automatically fall back to TLS‑wrapped WebSocket tunnels that traverse corporate web proxies unimpeded. By capturing the WebRTC handshake—offer/answer exchange, DTLS key negotiation, and SRTP streams—an attacker can embed command data within legitimate media streams, effectively turning a video call into a covert tunnel.

The implication for defenders is clear: the ubiquity and trusted status of conferencing traffic creates a blind spot that traditional network security tools often overlook. Organizations must extend inspection to WebRTC and TURN traffic, enforce strict egress policies for media ports, and consider behavioral analytics that flag anomalous data patterns within video‑conference sessions. Failure to adapt could allow adversaries to exfiltrate data or control compromised hosts without triggering conventional alerts.

Original Description

Red team operators frequently struggle with establishing interactive command and control (C2) over traditional C2 channels. While long-term covert channels are well-suited for stealthy, persistent communication, they often lack the bandwidth or real-time responsiveness needed for operations such as SOCKS proxying, layer two pivoting, relaying attacks, or hidden VNC sessions. Attempting to use traditional C2 mechanisms for these activities in a well-monitored network can be slow, conspicuous, and easily detected.
Our research explores the use of real-time communication protocols as a short-term, high-speed C2 channel that seamlessly complements a covert long-term C2 infrastructure. Specifically, we leverage web conferencing protocols, which are designed for real-time, low-latency communication and operate through globally distributed media servers that function as natural traffic relays. This approach allows operators to blend interactive C2 sessions into normal enterprise traffic patterns, appearing as nothing more than a temporarily joined online meeting. Any enterprise reliant on collaboration suites could be exposed to these vectors, making it a critical concern across industries.
In this presentation, we introduce TURNt, an open-source tool that enables covert traffic routing through media servers hosted by web conferencing providers. These media servers offer a unique advantage: vendors frequently recommend whitelisting their IP addresses and exempting them from TLS inspection, significantly reducing the risk of detection. TURNt allows red team operators to maintain persistent, stealthy communication via traditional C2 while activating high-bandwidth interactive sessions for short, one-to-two-hour periods—mimicking legitimate conferencing activity.
We will demonstrate how this technique can be integrated into existing red team operations, discuss the trade-offs and detection risks, and explore countermeasures defenders can implement to identify and mitigate this emerging technique. Attendees will learn how to stealthily blend short-term, interactive C2 into existing red team operations and how to detect/mitigate these techniques defensively.
By:
Adam Crosser | Staff Security Engineer, Praetorian
Full Presentation Materials Available at:

Comments

Want to join the conversation?

Loading comments...