Microsoft has revealed details of a new backdoor called SesameOp that uses the OpenAI Assistants application programming interface (API) for command-and-control (C2) communications.
“Instead of relying on traditional techniques, the attackers behind this backdoor are exploiting OpenAI as a C2 channel as a way to covertly communicate and coordinate malicious activity within a compromised environment,” the Microsoft Incident Response Detection and Response Team (DART) said in a technical report published Monday.
“To do this, the backdoor component uses the OpenAI Assistants API as a storage or relaying mechanism to retrieve commands, which the malware then executes.”
The tech giant said it discovered the implant in July 2025 as part of an advanced security incident in which an unknown attacker remained viable within the targeted environment for several months. The names of the affected victims were not released.
Further investigation into the intrusion activity uncovered what was described as a “complex arrangement” of internal web shells. These shells are designed to execute relayed commands from “persistent and strategically placed” malicious processes. These processes leverage Microsoft Visual Studio utilities that have been compromised with malicious libraries. This approach is called AppDomainManager injection.
SesameOp is a custom backdoor designed to maintain persistence and allow attackers to secretly manage compromised devices, indicating that the primary goal of this attack was to secure long-term access for espionage.
The OpenAI Assistants API allows developers to integrate artificial intelligence (AI)-powered agents directly into their applications and workflows. This API is scheduled to be deprecated by OpenAI in August 2026, and the company will replace it with the new Responses API.
According to Microsoft, the infection chain includes a loader component (‘Netapi64.dll’) and a .NET-based backdoor (‘OpenAIAgent.Netapi64’) that leverages the OpenAI API as a C2 channel to fetch encrypted commands, which are then locally decoded and executed. The execution results are returned to OpenAI as messages.
“The dynamic link library (DLL) is highly obfuscated using Eazfuscator.NET and designed to provide stealth, persistence, and secure communication using the OpenAI Assistants API,” the company said. “Netapi64.dll is loaded into the host executable at runtime via .NET AppDomainManager injection according to instructions in a crafted .config file accompanying the host executable.”
This message supports three values for the assistant list description field obtained from OpenAI.
SLEEP: Puts the process thread to sleep for a specified period of time. Payload: Extracts the message content from the instruction field and calls it on a separate thread for execution. Result: Sends the processed result to OpenAI as a new message with the description field set to “Result” to notify the threat actor that the output of the payload execution is available.
Although it is currently unclear who is behind the malware, this development suggests that it continues to exploit legitimate tools for malicious purposes in order to evade detection by blending in with normal network activity. Microsoft said it has shared its findings with OpenAI, identifying and disabling the API keys and associated accounts believed to have been used by the attackers.
Source link
