SesameOp Backdoor Abuses OpenAI API
In a striking demonstration of how cyber-threats adapt to emerging technologies, Microsoft's Incident Response team has uncovered a sophisticated new malware known as SesameOp, which uniquely exploits the OpenAI Assistants API for command-and-control (C2) operations.
This discovery marks one of the first known cases of attackers using an artificial intelligence platform's API as a communication channel for malware, demonstrating that even legitimate and trusted cloud services can be misused for malicious purposes.
SesameOp was uncovered by Microsoft's Detection and Response Team (DART) during a security investigation in July 2025. The team found that the malware had been active within a target environment for several months, maintaining a stealthy and persistent presence. Unlike conventional backdoors that rely on dedicated servers or compromised domains to send and receive commands, SesameOp instead used OpenAI's Assistants API, a legitimate service designed for developers, to transmit encrypted instructions and receive results.
Microsoft clarified that this was not the result of a vulnerability or misconfiguration within OpenAI's systems. Instead, the attackers exploited the service's legitimate capabilities to communicate covertly. This distinction is crucial: the misuse of trusted infrastructure makes the attack significantly more challenging to detect, since network traffic to OpenAI's API endpoints would ordinarily appear harmless.
This tactic represents a shift from traditional malware operations. Instead of using malicious infrastructure that defenders can identify and block, the attackers used a highly reputable API service to mask their activity. By doing so, they effectively embedded themselves within ordinary internet traffic, making detection through standard firewall or proxy filters far more difficult.
The infection chain begins with a malicious loader, an obfuscated dynamic-link library (DLL) named Netapi64.dll. The loader employs a technique known as .NET AppDomainManager injection, enabling it to execute malicious code within legitimate system processes. Once active, it monitors the Windows temporary directory for a specially named file that acts as a trigger. When that file appears, the loader executes the next stage of the malware.
The second stage is a backdoor component called OpenAIAgent.Netapi64. Rather than directly running any AI-related models, this module uses the OpenAI Assistants API as a relay medium. It connects to the API using a configuration string that includes an API key, a dictionary key name, and sometimes a proxy address. The malware then queries for Assistants associated with that account and reads information hidden within the description fields to determine what it should do next.
When the description indicates a "Payload" instruction, the malware downloads and decrypts a payload, executes it using the JScript engine, and then compresses and encrypts the output using AES and RSA encryption before sending it back through the same API. It even creates new "Assistants" named after the infected host's encoded hostname to signal status updates to the attacker.
This mechanism enables seamless two-way communication between the attacker and victim, eliminating the need for an external C2 server. The result is a stealthy, persistent channel operating entirely through a trusted cloud platform. The malware's purpose appears to be long-term espionage rather than immediate disruption, consistent with techniques used by advanced persistent threat (APT) actors.
Broader Implications
While SesameOp's immediate victims appear to be organizations, the implications extend far beyond the enterprise world. The campaign demonstrates how malicious actors can quickly adapt legitimate tools for their own benefit. It also highlights how cloud services, APIs, and AI-driven platforms can become integral to the cyber-threat ecosystem once they are widely adopted.
The use of OpenAI's API for C2 operations highlights several concerning trends. Attackers increasingly prefer "living off the land" tactics, namely using existing, trusted infrastructure to avoid detection. By exploiting well-known cloud services instead of building their own networks, they lower costs, increase survivability, and complicate defenders' efforts. This trend also challenges traditional cybersecurity models, which rely on identifying and blocking known malicious domains or IP addresses.
Another vital lesson from SesameOp is the persistence of such threats. Because the malware operated undetected for months, it had ample time to gather intelligence, exfiltrate data, and map the victim's systems. This persistence raises risks for data confidentiality and business continuity, especially for smaller organizations that may lack advanced monitoring tools.
Microsoft issued clear guidance for defenders seeking to identify or prevent similar attacks. The company advised security teams to examine network traffic for unusual connections to external APIs, especially from devices that have no business reason to use them. They also recommended enforcing stricter outbound communication rules through firewalls and proxies, limiting access to only necessary domains.
Endpoint protection remains a crucial layer of defense. Microsoft encourages organizations to enable tamper protection within Windows Defender, run endpoint detection and response (EDR) solutions in block mode, and ensure that real-time antivirus protection and cloud-delivered threat intelligence are turned on.
Beyond these enterprise-level measures, smaller organizations and home users can still take meaningful steps to reduce exposure. Keeping operating systems and software up to date, avoiding unverified downloads, and regularly auditing installed applications can prevent attackers from gaining initial access. Users should also enable multifactor authentication (MFA) whenever possible to make unauthorized access more difficult.
In conclusion, SesameOp represents a new frontier in malware design, blending technical innovation with strategic deception. By abusing the OpenAI Assistants API, the attackers created a covert command-and-control channel that bypasses many traditional security measures. The discovery by Microsoft's researchers illustrates both the ingenuity of modern threat actors and the growing challenge defenders face as legitimate tools become part of the cyber battlefield.
Share:
Facebook
X.com
LinkedIn
Copy Link
Karolis Liucveikis
Experienced software engineer, passionate about behavioral analysis of malicious apps
Author and general operator of PCrisk's News and Removal Guides section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over 8 years working in this branch. He attended Kaunas University of Technology and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications.
PCrisk security portal is brought by a company RCS LT.
Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.
Our malware removal guides are free. However, if you want to support us you can send us a donation.
DonatePCrisk security portal is brought by a company RCS LT.
Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.
Our malware removal guides are free. However, if you want to support us you can send us a donation.
Donate
▼ Show Discussion