Cybersecurity researchers have uncovered a new and highly stealthy technique being used by threat actors, dubbed “ghost calls,” to establish covert command-and-control (C2) communication channels. These attacks exploit the underlying architecture of popular web conferencing platforms, turning legitimate communication tools into an undetectable backdoor for malicious activity. This development poses a significant challenge for network defenders, as the malicious traffic blends in seamlessly with everyday business operations.
The Mechanism of the Attack
The term “ghost call” refers to a type of phantom, silent phone call that occurs without a human on the other end. In this new cyberattack method, hackers leverage the same concept to create a persistent and encrypted channel between a compromised machine and an attacker-controlled server. The attack works by hijacking a victim’s web conferencing client, such as Zoom, Microsoft Teams, or Webex, after an initial compromise. Instead of using traditional C2 methods that might be flagged by security tools, the malware initiates a “call” or a peer-to-peer connection to a seemingly legitimate endpoint.
The cleverness of this technique lies in its ability to tunnel malicious traffic through the web conferencing platform’s infrastructure. These platforms, to function in diverse network environments, often use protocols like WebRTC and TURN (Traversal Using Relays around NAT). Attackers exploit these protocols to relay their C2 traffic through the conferencing service’s own servers, making it appear as regular, encrypted video or audio data. Because this traffic originates from a trusted application and communicates with a trusted domain, it effortlessly bypasses most firewalls and network monitoring systems.
Evasion and Impact
For network defenders, this is a nightmare. Traditional security tools are designed to detect suspicious connections to known malicious IP addresses or unusual traffic patterns. However, ghost call C2 traffic is indistinguishable from a standard video meeting. It uses the same ports, the same protocols, and connects to the same legitimate cloud-hosted servers that employees use every day. This makes it incredibly difficult to detect, as it simply looks like a user is in a long, silent meeting.
Once established, this covert channel allows the attacker to maintain a persistent foothold on the network. They can use the C2 channel for various nefarious purposes, including:
- Data exfiltration: Secretly siphoning sensitive information from the compromised machine.
- Lateral movement: Using the compromised device as a pivot to access other systems on the network.
- Dropping additional malware: Deploying more potent tools, such as ransomware or keyloggers, without being detected.
Mitigation Strategies
Organizations must rethink their security posture to combat this novel threat. A simple firewall or intrusion detection system won’t cut it. Experts suggest that a multi-layered approach is required, focusing on a deeper level of analysis and endpoint security.
- Enhanced Endpoint Detection and Response (EDR): EDR solutions are crucial for monitoring an endpoint’s behavior. They can identify unusual processes or data flows from a web conferencing application that don’t align with a user’s typical activities.
- Application Control and Whitelisting: Limiting the applications that can generate network traffic and restricting their behaviors can help contain a potential breach.
- Network Traffic Analysis: Employing advanced tools that can analyze the content of encrypted traffic, a process known as deep packet inspection, may help identify subtle anomalies that indicate a ghost call.
- User Training: Educating employees about the risks and how to spot potential signs of compromise, such as slow-performing applications, can be an important first line of defense.
As hackers continue to innovate and find new ways to bypass security measures, the cybersecurity community must adapt just as quickly. The “ghost call” method is a stark reminder that even the most trusted tools can be weaponized in the hands of a determined adversary.
![Online Scam Cases Continue to Rise Despite Crackdowns on Foreign Fraud Networks [Myanmar]](https://sumtrix.com/wp-content/uploads/2025/06/30-12-120x86.jpg "Online Scam Cases Continue to Rise Despite Crackdowns on Foreign Fraud Networks [Myanmar]")
