Microsoft has exposed a novel and sophisticated backdoor, codenamed SesameOp, that abuses the legitimate OpenAI Assistants API as its primary command-and-control (C2) channel. This technique represents a significant evolution in cyber espionage, allowing attackers to hide their communications within trusted, everyday AI traffic.
A New Stealth Tactic: Hiding in Plain Sight
Discovered by the Microsoft Detection and Response Team (DART) in July 2025, the SesameOp backdoor was part of a complex intrusion where threat actors maintained undetected access for several months. Instead of using traditional, easily flagged C2 servers, the malware ingeniously uses the OpenAI Assistants API as a stealthy relay.
Microsoft explained, “Instead of relying on more traditional methods, the threat actor behind this backdoor abuses OpenAI as a C2 channel as a way to stealthily communicate and orchestrate malicious activities within the compromised environment.”
The attackers achieved this by using a component of the backdoor to fetch commands from the OpenAI API, which the malware would then execute on the compromised host.
The Sophisticated Infection Chain
The attack involved a multi-layered approach to establish a deep foothold:
- Initial Foothold: The attackers deployed a “complex arrangement” of internal web shells.
- Persistence Mechanism: These web shells were controlled by persistent, malicious processes that used a technique called AppDomainManager injection. This involved compromising Microsoft Visual Studio utilities with malicious libraries, a method that helps blend malicious activity with legitimate software processes.
- The Custom Backdoor (SesameOp): This .NET-based backdoor is specifically engineered for long-term espionage, ensuring attackers can covertly manage the infected system.
How SesameOp Leverages the OpenAI API
The technical execution of SesameOp is methodical. The infection chain has two main components:
- The Loader (
Netapi64.dll): A heavily obfuscated DLL file that is loaded into a legitimate host executable via AppDomainManager injection. - The Backdoor (
OpenAIAgent.Netapi64): The core backdoor that communicates with the OpenAI Assistants API.
The backdoor works in a continuous loop:
- It retrieves the list of “Assistants” from the attacker’s OpenAI account.
- It reads the
descriptionfield of each assistant, which contains encrypted commands. - It supports three command types:
SLEEP: Tells the malware to pause its activity for a specified time.Payload: Extracts and executes a command from theinstructionsfield in a separate thread.Result: Sends the output of the executed command back to the OpenAI API as a new message, notifying the attacker that the results are ready for retrieval.
This creates a covert two-way communication channel entirely within the legitimate infrastructure of a well-known AI service.
Attribution and Response
While the identity of the threat actor remains unknown, the campaign highlights a growing trend of “living-off-the-land” techniques, where attackers abuse legitimate tools and services to avoid detection.
Upon discovery, Microsoft shared its findings with OpenAI. OpenAI subsequently identified and disabled the specific API key and associated account believed to have been used in the attack.
