Ghost Calls: Abusing Web Conferencing for Covert Command & Control
Black Hat USA 2025 · Day 1 · Briefings
Adam Crosser of Praetorian built a covert command-and-control (C2) channel that routes traffic through the TURN relay infrastructure of Microsoft Teams and Zoom, making attacker traffic appear as legitimate video conference data at the network level. The tool, released on GitHub alongside the talk, supports SOCKS proxying, local and remote port forwarding, and 100 Mbps+ throughput — all tunneled over TLS to Microsoft or Zoom infrastructure. Zoom patched its TURN credentials exposure before the talk; Microsoft Teams remains open. ---
AI review
Crosser identified a real gap in the red team toolkit and filled it with a working tool that hits 100+ Mbps through TLS tunnels to Microsoft's own infrastructure. Zoom patched it mid-conference; Teams is still open. This is what a proper offensive research talk looks like.