Microsoft’s Detection and Response Team has exposed a sophisticated backdoor malware that exploits the OpenAI Assistants API as an unconventional command-and-control communication channel.
Named SesameOp, this threat demonstrates how adversaries are rapidly adapting to leverage legitimate cloud services for malicious purposes, making detection significantly more challenging for security teams.
The discovery highlights the evolving tactics of threat actors who seek to blend malicious traffic with legitimate API communications to evade traditional security controls.
The backdoor discovered by Microsoft’s DART researchers in July 2025 represents a significant departure from traditional malware communication methods.
Rather than establishing dedicated infrastructure for command-and-control operations, the threat actors behind SesameOp abuse the OpenAI Assistants API to store, relay, and retrieve malicious commands.
This approach allows attackers to hide their communications within legitimate API traffic to a trusted service provider, making detection through conventional network monitoring extremely difficult.
The malware component uses the API as both a storage and relay mechanism, fetching encrypted commands that are then executed on compromised systems.
The investigation revealed that threat actors had maintained presence within the targeted environment for several months before detection.
The complex attack infrastructure included internal web shells responsible for executing commands relayed from persistent malicious processes.
These processes exploited multiple Microsoft Visual Studio utilities that had been compromised using malicious libraries through .NET AppDomainManager injection, a sophisticated defense evasion technique.
This multi-layered approach enabled the attackers to establish deep persistence while remaining undetected across extended periods.
Technical Architecture and Infection Chain
SesameOp’s infection chain consists of two primary components working in tandem. The loader component, Netapi64.dll, is heavily obfuscated using Eazfuscator.NET and is loaded at runtime into host executables via .NET AppDomainManager injection.
This DLL creates marker files in the Windows Temp directory and establishes a mutex to ensure only one instance runs in memory. The loader enumerates files under the Temp directory, searching for files ending with .Netapi64 extension, which it then XOR-decodes and executes.
The main backdoor component, OpenAIAgent.Netapi64, contains the core functionality enabling covert operations.
Despite its name suggesting integration with OpenAI SDKs, the malware actually uses the OpenAI Assistants API purely as a communication channel.
Upon launch, it reads configuration data embedded in its .NET resource section, which includes the OpenAI API key, dictionary key name, and proxy settings.
The backdoor queries vector stores from OpenAI using the hardcoded API key, checking if the vector store name contains the infected machine’s hostname. If communicating for the first time, it creates a new vector store using the compromised system’s hostname.
The code checks if the third part of the configuration specifies a proxy address; if present, it utilizes this address. In the absence of proxy details, the system defaults to using the default web proxy system.
The malware retrieves lists of Assistants created in the OpenAI account and parses their properties including Assistant ID, name, description, and instructions.
The description field serves as a command selector containing one of three options: SLEEP, Payload, or Result. When set to SLEEP, the backdoor extracts thread and message IDs from the instruction field to retrieve timing commands from OpenAI.
For Payload commands, it retrieves encrypted messages, deletes them from OpenAI, and processes them through multiple decryption layers.
Encryption and Obfuscation Techniques
SesameOp employs sophisticated multi-layered encryption to protect both incoming commands and outgoing exfiltration data.
In the context of OpenAI, Assistants refer to a feature within the OpenAI platform that allows developers and organizations to create custom AI agents tailored to specific tasks, workflows, or domains.
Retrieved messages contain a 32-byte AES key that is Base64-decoded and decrypted using a hardcoded RSA private key embedded in the malware.
The actual payload is Base64-decoded, decrypted using AES algorithm with the derived key, and decompressed using GZIP compression.
This layered approach combining symmetric and asymmetric encryption with compression minimizes payload size while maximizing security of communications.
After decryption and decompression, the payload undergoes additional processing to convert it into a dictionary structure.
The backdoor uses URL decoding and parsing techniques to transform the message into key-value pairs. An embedded .NET module is then dynamically loaded using reflection, which initializes a Microsoft JScript VsaEngine to execute the payload using Eval.JScriptEvaluate. Execution results are compressed with GZIP, encrypted using AES, and Base64-encoded before being posted back to OpenAI as new messages.
The backdoor creates new Assistants with encoded hostnames and sets the description field to Result, signaling to the attacker that execution results are ready for retrieval.
Mitigations
Microsoft and OpenAI conducted a joint investigation into this threat, resulting in the identification and disabling of the API key and associated account believed to have been used by the attackers.
The backdoor parses the timeSLEEP field from the response received from OpenAI.The value is then used to perform a thread sleep operation.
The review confirmed that the compromised account had only made limited API calls and had not interacted with OpenAI models or services beyond the C2 communications.
Both companies continue collaborating to understand and disrupt how threat actors attempt to misuse emerging technologies.
Microsoft emphasizes that this threat does not represent a vulnerability in the OpenAI platform but rather a misuse of legitimate functionality. The OpenAI Assistants API is scheduled for deprecation in August 2026.
Microsoft recommends comprehensive security measures to defend against SesameOp and similar threats. Organizations should audit firewall and web server logs frequently while maintaining awareness of all Internet-exposed systems.
Network segmentation using Windows Defender Firewall, intrusion prevention systems, and network firewalls can block C2 communications across endpoints and mitigate lateral movement.
Perimeter firewall and proxy configurations should be reviewed to limit unauthorized access through non-standard ports. Enabling tamper protection in Microsoft Defender for Endpoint prevents attackers from disabling security controls.
Running endpoint detection and response in block mode allows Microsoft Defender to block malicious artifacts even when other antivirus solutions fail to detect threats.
Organizations should also configure automated investigation and remediation to full automated mode and enable cloud-delivered protection to defend against rapidly evolving attacker tools and techniques.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
