SesameOp Backdoor Hijacks OpenAI Assistants API for Covert C2 and Espionage

In an example of how threat actors are adapting to modern AI ecosystems, Microsoft’s Incident Response – Detection and Response Team (DART) has uncovered a sophisticated espionage-focused backdoor that uses the OpenAI Assistants API as a command-and-control (C2) channel.

The newly identified malware, named SesameOp, marks one of the first known cases where attackers leveraged legitimate AI APIs to stealthily issue and receive commands inside compromised environments.

“Instead of relying on more traditional methods, the threat actor behind this backdoor abuses OpenAI as a C2 channel as a way to stealthily communicate and orchestrate malicious activities within the compromised environment,” Microsoft explained.

DART researchers discovered SesameOp in July 2025 during a months-long compromise of an enterprise network that involved web shells and modified Visual Studio utilities. The attackers had injected malicious .NET libraries into Visual Studio’s AppDomainManager, enabling long-term persistence while evading detection.

“These processes leveraged multiple Microsoft Visual Studio utilities that had been compromised with malicious libraries, a defense evasion method known as .NET AppDomainManager injection,” Microsoft wrote.

Further investigation led to the discovery of Netapi64.dll, a heavily obfuscated .NET component that acted as a loader for the backdoor. Once executed, the loader deployed the core implant, OpenAIAgent.Netapi64, designed to maintain covert control over infected hosts.

Microsoft noted that “the stealthy nature of SesameOp is consistent with the objective of the attack, which was determined to be long-term persistence for espionage-type purposes.”

The defining feature of SesameOp lies in its use of OpenAI’s Assistants API — a legitimate cloud service that enables developers to create AI-powered assistants — as a covert data exchange layer between the attacker and infected hosts.

The malware component does not execute AI models or SDK functions, but instead fetches encrypted commands from OpenAI’s API and posts the results back as messages.

“Contrary to its name, OpenAIAgent.Netapi64 does not utilize OpenAI agent software development kits (SDKs) or model execution features. Instead, it uses OpenAI Assistants API to fetch commands, which the malware then decrypts and executes locally,” Microsoft clarified.

After performing the requested tasks, SesameOp compresses and encrypts the results before sending them back to the attacker via the same API. The backdoor’s entire communication cycle remains hidden inside legitimate HTTPS traffic to api.openai.com, blending perfectly with normal developer activity.

“To stay under the radar, it uses compression and encryption, ensuring both the incoming payload and the outgoing results remain hidden,” the report said.

Microsoft’s analysis breaks down SesameOp’s architecture into two primary components:

1. Netapi64.dll – The Loader

• Obfuscated using Eazfuscator.NET.
• Creates marker and mutex files (C:\Windows\Temp\Netapi64.start).
• Searches for .Netapi64 payloads under the Temp directory, XOR-decodes them, and executes the decrypted backdoor.

2. OpenAIAgent.Netapi64 – The Backdoor

Reads a .NET resource section containing configuration data in the format:

<OpenAI_API_Key>|<Dictionary_Key_Name>|<Proxy>

Connects to OpenAI via the provided API key and optionally routes traffic through a proxy.

Retrieves a list of “Assistants” and “vector stores” from the API, using description fields such as SLEEP, Payload, or Result to determine its next actions.

When the description field is set to SLEEP, the malware temporarily suspends itself based on a time interval retrieved from the API. If set to Payload, it downloads and decrypts a malicious script from OpenAI, executes it, and later returns the output to the same channel.

Each payload follows a complex hybrid encryption process:

• AES-256 for symmetric encryption
• RSA for encrypting the AES key
• GZIP compression for stealth and size reduction

“The first element is a 32-byte AES key, which is Base64-decoded and decrypted using a hardcoded RSA private key… the second element is Base64-decoded, decrypted with AES, and decompressed with GZIP,” the researchers detailed.

By leveraging the Assistants API, the attackers avoided setting up their own C2 infrastructure, instead using OpenAI’s global cloud network as an encrypted relay.

“Our investigation uncovered how a threat actor integrated the OpenAI Assistants API within a backdoor implant to establish a covert C2 channel, leveraging the legitimate service rather than building a dedicated infrastructure,” Microsoft explained.

Microsoft confirmed that SesameOp is not a vulnerability or misconfiguration within OpenAI’s systems, but rather a misuse of a legitimate feature.

“This threat does not represent a vulnerability or misconfiguration, but rather a way to misuse built-in capabilities of the OpenAI Assistants API,” Microsoft emphasized.

After DART shared its findings with OpenAI, the company identified and disabled the attacker’s API key and account.

Related Posts:

• JavaScript-Based Malware Exploits Steganography for Covert Data Theft
• Android Revolution: Gemini Replaces Assistant on All Devices
• New Attack on Microsoft 365 Copilot Steals Personal Data
• Copilot Is Coming to Your Living Room with New Samsung Smart TV Partnership
• Malicious Python Packages Exploited Gmail as Covert Command-and-Control Channels

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy