A sophisticated new backdoor named SesameOp has emerged with a novel approach to command-and-control communications that fundamentally challenges traditional security assumptions.
Discovered in July 2025 by Microsoft’s Incident Response and Detection and Response Team, this malware represents a significant shift in how threat actors exploit legitimate cloud services for covert operations.
Rather than relying on dedicated infrastructure or suspicious network connections, SesameOp ingeniously abuses the OpenAI Assistants API as a disguised command relay, allowing attackers to issue instructions and receive results through what appears as legitimate traffic to a trusted service.
The malware’s discovery emerged during a complex incident investigation where attackers had maintained operational presence within a compromised environment for months.
The investigation revealed an intricate architecture comprising internal web shells strategically positioned throughout the network.
These shells operated under control of persistent malicious processes that leveraged compromised Microsoft Visual Studio utilities through .NET AppDomainManager injection—a technique that circumvents traditional detection mechanisms by hiding malicious code within legitimate system processes.
Microsoft analysts identified the infection chain as a two-component system. The first component consists of Netapi64.dll, a heavily obfuscated loader designed to identify and execute the primary backdoor.
.webp "SesameOp Leveraging OpenAI Assistants API for Stealthy Communication with C2 Servers 3")
The second component, OpenAIAgent.Netapi64, contains the core functionality that orchestrates C2 communications through the OpenAI platform.
Rather than utilizing OpenAI’s agent software development kits or model execution features, the backdoor weaponizes the Assistants API purely as a message storage mechanism.
Commands arrive compressed and encrypted, which the malware decrypts and executes locally before returning results back through the same OpenAI infrastructure.
Communication and Execution Mechanisms
The technical sophistication underlying SesameOp extends beyond simple API misuse. Upon execution, the backdoor initiates sophisticated command retrieval by first establishing contact with OpenAI’s vector store infrastructure.
The malware encodes the infected machine’s hostname in Base64 format and queries the Assistants API to identify corresponding vector stores and assistants previously created by the operator.
The configuration embedded within the backdoor contains a hardcoded OpenAI API key, a dictionary key selector, and optional proxy information.
Once communication establishes, the malware enters a polling loop where it periodically checks for new commands marked with either “SLEEP” or “Payload” designations within the assistant descriptions.
When a payload command appears, the backdoor retrieves encrypted content from OpenAI threads using thread IDs and message identifiers.
The payload undergoes multi-layered decryption: first, a 32-byte AES key is extracted and decrypted using an embedded RSA private key, then the command payload is decrypted with this AES key and decompressed using GZIP.
The decrypted message transforms into a dictionary structure that the backdoor passes to a dynamically loaded .NET module using the JScript evaluation engine.
This module executes the command and generates results that are compressed, encrypted with a randomly generated AES key, and posted back to OpenAI as a new message.
The backdoor then creates a new Assistant record with the execution results marked as “Result,” signaling the operator that tasks have completed.
This bidirectional communication channel remains virtually invisible to network monitoring tools since all traffic appears as routine connections to a legitimate, trusted service.
The OpenAI Assistants API has been deprecated by the platform and will be retired in August 2026.
Microsoft and OpenAI jointly investigated this threat, leading OpenAI to identify and disable the API key and associated account used by the threat actor.
However, this case underscores a critical vulnerability in how emerging technologies can be weaponized before security communities fully understand their implications.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
