SesameOp: The Covert Malware Exploiting OpenAI’s Assistants API for Stealthy Command-and-Control
In July 2025, cybersecurity experts at Microsoft’s Incident Response and Detection and Response Team uncovered a sophisticated backdoor malware named SesameOp. This malware introduces a groundbreaking method for command-and-control (C2) communications, challenging conventional security paradigms by leveraging legitimate cloud services to mask its operations.
Discovery and Initial Findings
The detection of SesameOp occurred during an in-depth investigation into a prolonged security breach. Attackers had maintained a covert presence within the compromised network for several months, utilizing advanced techniques to evade detection. The investigation revealed a complex network of internal web shells strategically placed across the system. These web shells were controlled by persistent malicious processes that exploited compromised Microsoft Visual Studio utilities. By injecting code through the .NET AppDomainManager, the attackers effectively concealed their activities within legitimate system processes, making traditional detection methods ineffective.
Innovative Use of OpenAI’s Assistants API
Unlike traditional malware that relies on dedicated infrastructure or suspicious network connections, SesameOp ingeniously abuses OpenAI’s Assistants API to facilitate its C2 communications. This approach allows the malware to send and receive commands through what appears to be legitimate traffic to a trusted service, thereby evading standard security measures.
Technical Breakdown of SesameOp
The architecture of SesameOp is composed of two primary components:
1. Netapi64.dll: This heavily obfuscated loader is designed to identify and execute the main backdoor component.
2. OpenAIAgent.Netapi64: This core component orchestrates the C2 communications via the OpenAI platform.
Rather than utilizing OpenAI’s agent software development kits or model execution features, the backdoor exploits the Assistants API solely as a message storage mechanism. Commands are received in a compressed and encrypted format, which the malware decrypts and executes locally before sending the results back through the same OpenAI infrastructure.
Communication and Execution Mechanisms
Upon execution, SesameOp initiates a sophisticated command retrieval process by first establishing contact with OpenAI’s vector store infrastructure. The malware encodes the infected machine’s hostname in Base64 format and queries the Assistants API to identify corresponding vector stores and assistants previously created by the operator.
The backdoor’s configuration includes a hardcoded OpenAI API key, a dictionary key selector, and optional proxy information. Once communication is established, the malware enters a polling loop, periodically checking for new commands marked with either SLEEP or Payload designations within the assistant descriptions.
When a payload command is detected, the backdoor retrieves encrypted content from OpenAI threads using thread IDs and message identifiers. The payload undergoes multi-layered decryption:
1. A 32-byte AES key is extracted and decrypted using an embedded RSA private key.
2. The command payload is decrypted with this AES key and decompressed using GZIP.
The decrypted message is then transformed into a dictionary structure that the backdoor passes to a dynamically loaded .NET module using the JScript evaluation engine. This module executes the command and generates results that are compressed, encrypted with a randomly generated AES key, and posted back to OpenAI as a new message.
The backdoor then creates a new Assistant record with the execution results marked as Result, signaling the operator that tasks have been completed. This bidirectional communication channel remains virtually invisible to network monitoring tools since all traffic appears as routine connections to a legitimate, trusted service.
Implications and Industry Response
The discovery of SesameOp underscores a critical vulnerability in how emerging technologies can be weaponized before security communities fully understand their implications. By exploiting OpenAI’s Assistants API, attackers can maintain a stealthy presence within compromised systems, making detection and mitigation significantly more challenging.
In response to this threat, Microsoft and OpenAI conducted a joint investigation, leading OpenAI to identify and disable the API key and associated account used by the threat actor. Additionally, OpenAI has announced that the Assistants API will be deprecated and retired in August 2026. This proactive measure aims to prevent further exploitation of the API for malicious purposes.
Broader Context: AI in Cybersecurity Threats
The emergence of SesameOp is part of a broader trend where threat actors are increasingly leveraging artificial intelligence and machine learning technologies to enhance their cyberattack capabilities. For instance, earlier in 2025, a ransomware strain named PromptLock was identified, which utilized OpenAI’s `gpt-oss:20b` model to generate malicious components dynamically. This malware represented a significant evolution in ransomware design, demonstrating how AI models can be exploited to create more dynamic and evasive threats.
Furthermore, vulnerabilities in AI-powered tools have been exploited to conduct sophisticated attacks. A notable example is the AgentFlayer attack, which targeted OpenAI’s ChatGPT Connectors feature. This zero-click vulnerability allowed attackers to exfiltrate sensitive data from connected Google Drive accounts without any user interaction beyond the initial file sharing. Such incidents highlight the need for rigorous security measures in the development and deployment of AI technologies.
Recommendations for Organizations
Given the increasing sophistication of AI-driven cyber threats, organizations must adopt comprehensive security strategies to protect their systems. Key recommendations include:
1. Enhanced Monitoring: Implement advanced monitoring tools capable of detecting anomalous activities, especially those involving legitimate cloud services.
2. Regular Audits: Conduct regular security audits to identify and mitigate potential vulnerabilities within the network.
3. Employee Training: Educate employees about the latest cyber threats and the importance of adhering to security protocols.
4. Incident Response Planning: Develop and regularly update incident response plans to ensure swift action in the event of a security breach.
5. Collaboration with Security Communities: Engage with cybersecurity communities to stay informed about emerging threats and best practices for mitigation.
Conclusion
The discovery of SesameOp serves as a stark reminder of the evolving landscape of cyber threats. As attackers continue to find innovative ways to exploit emerging technologies, it is imperative for organizations to remain vigilant and proactive in their cybersecurity efforts. By understanding the mechanisms of such sophisticated malware and implementing robust security measures, organizations can better protect themselves against the ever-changing threat landscape.
