In a recent cybersecurity revelation, Microsoft has identified a sophisticated backdoor named SesameOp, which exploits OpenAI’s Assistants Application Programming Interface (API) to establish covert command-and-control (C2) communications within compromised systems. This innovative method allows attackers to seamlessly integrate malicious commands into legitimate network traffic, significantly complicating detection efforts.
Discovery and Initial Findings
Microsoft’s Detection and Response Team (DART) uncovered the SesameOp backdoor in July 2025 during an in-depth investigation of a prolonged security breach. The attackers had maintained undetected access to the target environment for several months, underscoring the stealth and persistence of their methods. While the specific victim remains unnamed, the incident highlights the evolving tactics employed by cyber adversaries.
Technical Breakdown of SesameOp
SesameOp is a custom-engineered backdoor designed to ensure persistent access and covert management of infected devices. Its primary objective appears to be long-term espionage, allowing attackers to monitor and control systems without detection.
The backdoor comprises two main components:
1. Loader Component (Netapi64.dll): This dynamic link library (DLL) is heavily obfuscated using Eazfuscator.NET, enhancing its stealth capabilities. It is loaded at runtime into the host executable through .NET AppDomainManager injection, as specified by a crafted configuration file accompanying the host executable.
2. .NET-Based Backdoor (OpenAIAgent.Netapi64): This component leverages the OpenAI Assistants API as a C2 channel. It fetches encrypted commands from the API, decodes them, and executes them locally. The execution results are then sent back to OpenAI as messages, facilitating a continuous feedback loop between the attacker and the compromised system.
Exploitation of OpenAI’s Assistants API
The OpenAI Assistants API enables developers to integrate AI-powered agents into their applications and workflows. By abusing this API, the threat actors behind SesameOp have devised a method to relay commands and receive execution results through a legitimate service, effectively masking their malicious activities within normal network operations.
The backdoor’s communication protocol involves three specific message types within the Assistants list retrieved from OpenAI:
– SLEEP: Instructs the process thread to pause for a specified duration, aiding in evasion by reducing detectable activity.
– Payload: Extracts the contents from the instructions field and executes them in a separate thread, allowing the attacker to run arbitrary commands on the compromised system.
– Result: Transmits the outcome of the executed payload back to OpenAI as a new message, with the description field set to Result, signaling the attacker that the command has been processed.
Implications and Broader Context
The discovery of SesameOp underscores a concerning trend in cyber threats: the misuse of legitimate tools and services to conduct malicious activities. By leveraging the OpenAI Assistants API, attackers can blend their operations with normal network traffic, making detection and mitigation more challenging.
This tactic is part of a broader pattern where cybercriminals exploit trusted platforms to achieve their objectives. For instance, in October 2025, a modified version of the Telegram messaging app for Android, named Telegram X, was used to deliver a new backdoor called Baohuo. This backdoor infected over 58,000 devices by remaining functional while executing malicious activities in the background. Similarly, in August 2025, threat actors exploited a vulnerability in Microsoft Windows to deploy the PipeMagic malware in RansomExx ransomware attacks, highlighting the continuous evolution of cyber threats.
Microsoft and OpenAI’s Response
Upon identifying the malicious use of the OpenAI Assistants API, Microsoft promptly shared its findings with OpenAI. In response, OpenAI identified and disabled the API key and associated account believed to have been used by the adversary, effectively cutting off the attacker’s access to the compromised systems.
Recommendations for Organizations
To defend against such sophisticated threats, organizations should adopt a multi-layered security approach:
– Enhanced Monitoring: Implement advanced monitoring solutions capable of detecting anomalous activities, even when they mimic legitimate network traffic.
– Regular Audits: Conduct frequent security audits to identify and remediate potential vulnerabilities within the network infrastructure.
– Employee Training: Educate staff about the latest phishing tactics and social engineering methods to reduce the risk of initial compromise.
– API Security: Review and secure API integrations to prevent unauthorized access and misuse by malicious actors.
Conclusion
The emergence of the SesameOp backdoor serves as a stark reminder of the ever-evolving landscape of cyber threats. By exploiting legitimate services like OpenAI’s Assistants API, attackers can effectively conceal their operations, posing significant challenges to traditional detection mechanisms. Organizations must remain vigilant, continuously updating their security protocols to address these sophisticated tactics and protect their digital assets.
