C2 Traffic Disguised as Web Conferencing
Ghost Calls effectively blends attacker traffic into normal video conferencing patterns, taking advantage of the following properties:
- Encrypted WebRTC channels make packet inspection ineffective
- Use of trusted infrastructure (Zoom, Teams) bypasses firewalls and proxies
- Traffic over port 443 makes the communication indistinguishable from HTTPS
Unlike traditional C2 protocols—which are often high-latency, limited in scope, and easy to flag—Ghost Calls provides low-latency, interactive sessions suitable for VNC tunneling, data exfiltration, and real-time control.
Introducing TURNt: The Ghost Calls Utility
To demonstrate the technique, Crosser developed an open-source tool called TURNt, available on GitHub.
TURNt has two components:
- Controller: Runs on the attacker’s system and functions as a SOCKS proxy
- Relay: Deployed on the victim’s machine, connects back via TURN
Using TURNt, red teams (or attackers) can:
- Perform SOCKS proxying
- Conduct local and remote port forwarding
- Exfiltrate sensitive data
- Tunnel hidden VNC traffic through TURN infrastructure
The tool effectively relays traffic through conferencing providers’ TURN servers, hiding malicious activity behind enterprise-trusted IP ranges.
SOCKS proxying on TURNt
Source: Praetorian