Microsoft discovered SesameOp, a new backdoor that uses OpenAI’s Assistants API for covert command and control (C2) operations. This technique allows attackers to fetch commands and exfiltrate data through a trusted cloud service, making detection harder. Discovered in July 2025, SesameOp aims for long-term persistence, often a hallmark of espionage campaigns.
The SesameOp backdoor stands out. It leverages the OpenAI Assistants API as a storage and relay system for C2 communications. This is a clever twist, moving away from dedicated malicious infrastructure.
This approach helps the malware blend its C2 traffic with legitimate network communications. It’s a real challenge for cybersecurity defenses. Microsoft Incident Response confirmed this isn’t a vulnerability or misconfiguration. Instead, it’s a clever misuse of existing API capabilities. It’s worth noting the specific API SesameOp abuses is set for deprecation in August 2026.
How SesameOp Operates and Stays Hidden
The SesameOp infection process has two key parts. There’s a loader and a .NET-based backdoor.
The loader, called _Netapi64.dll, is heavily obfuscated. It uses Eazfuscator.NET. It achieves persistence via .NET AppDomainManager injection. That’s a defense evasion method, aligning with MITRE ATT&CK T1574.014. This component first creates a file marker. You’d find it at C:\Windows\Temp\Netapi64.start. It also sets a mutex to ensure only one instance runs. Then, it enumerates files in C:\Windows\Temp\. It looks for files ending with .Netapi64, XOR-decodes them, and executes them. New malware strains keep showing us just how advanced these defense evasion techniques are getting.
The backdoor itself, _OpenAIAgent.Netapi64, holds the core logic. This is where it talks to the OpenAI Assistants API for C2. Microsoft researchers found it doesn’t use OpenAI SDKs. It also skips model execution features. It just abuses the API for communication. Configuration details are pulled from its embedded .NET resource section, TextFile1. This includes an OpenAI API key, a dictionary key, and a proxy address.
For command fetching, the backdoor queries the OpenAI Assistants API. It searches vector store lists and Assistants. Commands are then extracted. They come from the description and instruction fields of Assistant objects. They also appear in messages tied to a specific thread ID. Messages retrieved contain an AES key, which is RSA-encrypted. They also hold the payload, AES-encrypted and GZIP-compressed. The payload gets decrypted, decompressed, and processed into a dictionary. Execution happens through Eval.JScriptEvaluate. This runs within a dynamically loaded, embedded .NET module.
For result exfiltration, execution outcomes are GZIP-compressed. Then they are AES-encrypted. Finally, they are posted back to OpenAI as a new message. A new Assistant is created. It’s named with the Base64-encoded hostname. Its description field is set to Result. This signals that the outcome is ready. SesameOp uses payload compression (GZIP) and layered encryption (AES with an RSA-encrypted key) for all command data. This also applies to exfiltrated results. This is how it maintains its stealth, as noted by Microsoft DART.
Joint Response and Broader Implications
Microsoft and OpenAI didn’t sit on this. They jointly investigated how this threat actor used the OpenAI Assistants API. DART shared its findings with OpenAI directly. This led to quickly identifying and disabling the API key. The associated account, believed to be used by the actor, was also shut down. Microsoft Incident Response confirmed this.
SesameOp’s stealth is by design. Its objective is long-term persistence for espionage. This novel approach, using legitimate cloud services for C2, creates a significant cybersecurity hurdle. It truly highlights the need for advanced endpoint detection. Robust firewalling is crucial. Proactive security measures are a must. We need them to counter threats that exploit trusted cloud platforms.