Temporary TURN credentials provided when joining Teams or Zoom meetings could be taken over by Ghost Calls to facilitate the creation of TURN-based WebRTC client that could then be leveraged by attackers to achieve arbitrary data proxying or C2 traffic concealment while benefitting from reliable connectivity, according to a Praetorian study presented at Black Hat USA 2025. Praetorian researchers were able to tunnel traffic through the custom open-source TURNt utility, which includes a Controller for the threat actor that executes a SOCKS proxy server to approve TURN-tunneled connections and a Relay for the impacted host device. Neither Microsoft nor Zoom has disclosed whether more security measures will be implemented to prevent the occurrence of such an intrusion.
Threat Intelligence, Identity, Network Security
Microsoft Teams, Zoom TURN servers leveraged by novel Ghost Calls C2 bypass method
(Adobe Stock)
BleepingComputer reports that Microsoft Teams, Zoom, and other video-conferencing apps could have their Traversal Using Relays around NAT servers exploited for traffic tunneling through the new Ghost Calls post-exploitation command-and-control bypass tactic.
Temporary TURN credentials provided when joining Teams or Zoom meetings could be taken over by Ghost Calls to facilitate the creation of TURN-based WebRTC client that could then be leveraged by attackers to achieve arbitrary data proxying or C2 traffic concealment while benefitting from reliable connectivity, according to a Praetorian study presented at Black Hat USA 2025. Praetorian researchers were able to tunnel traffic through the custom open-source TURNt utility, which includes a Controller for the threat actor that executes a SOCKS proxy server to approve TURN-tunneled connections and a Relay for the impacted host device. Neither Microsoft nor Zoom has disclosed whether more security measures will be implemented to prevent the occurrence of such an intrusion.
Temporary TURN credentials provided when joining Teams or Zoom meetings could be taken over by Ghost Calls to facilitate the creation of TURN-based WebRTC client that could then be leveraged by attackers to achieve arbitrary data proxying or C2 traffic concealment while benefitting from reliable connectivity, according to a Praetorian study presented at Black Hat USA 2025. Praetorian researchers were able to tunnel traffic through the custom open-source TURNt utility, which includes a Controller for the threat actor that executes a SOCKS proxy server to approve TURN-tunneled connections and a Relay for the impacted host device. Neither Microsoft nor Zoom has disclosed whether more security measures will be implemented to prevent the occurrence of such an intrusion.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds