Ghost Calls - Abusing Web Conferencing for Covert Command & Control

Name: Ghost Calls - Abusing Web Conferencing for Covert Command & Control
Description: Command and control (C2) infrastructure is the nervous system of an adversary operation. Once a foothold is established on a target environment, attackers need a reliable, stealthy channel to issue co

Adam Crosser

DEF CON 33 · Day 1 · Main Stage

Command and control (C2) infrastructure is the nervous system of an adversary operation. Once a foothold is established on a target environment, attackers need a reliable, stealthy channel to issue co

AI review

Adam Crosser presents Ghost Calls, a purpose-built red team tool that tunnels C2 traffic through web conferencing APIs (Zoom, Teams, Webex, Meet) to achieve a short-term C2 channel that is simultaneously low-latency, high-throughput, enterprise-ubiquitous, and TLS-inspection-exempt. The talk formalizes a four-dimensional channel evaluation framework and demonstrates interactive SOCKS proxying through the conferencing platform's own infrastructure.

Watch on YouTube