Microsoft has identified a novel backdoor, designated “SesameOp,” that employs OpenAI’s Assistants API for its command-and-control (C2) infrastructure. This technique allows threat actors to stealthily manage compromised systems and orchestrate malicious activities by using the API as a communication relay.
The Detection and Response Team (DART) at Microsoft Incident Response disclosed these findings, noting that the threat actor behind SesameOp deviates from traditional C2 methods by integrating with OpenAI’s platform. A component of the backdoor utilizes the OpenAI Assistants API to retrieve commands, which the malware then executes within the compromised environment.
Microsoft’s investigation uncovered the implant in July 2025 during a sophisticated security incident. Threat actors had maintained persistence within the target environment for several months prior to discovery. The intrusion involved a complex setup of internal web shells designed to execute commands relayed from malicious processes. These processes, in turn, leveraged compromised Microsoft Visual Studio utilities through a technique known as .NET AppDomainManager injection.
The SesameOp backdoor is custom-engineered for maintaining persistence and covertly managing devices, suggesting espionage as the primary objective of the attack. OpenAI’s Assistants API, scheduled for deprecation in August 2026, enables developers to integrate AI-powered agents into applications.
The infection chain, as detailed by Microsoft, includes a loader component named “Netapi64.dll” and a .NET-based backdoor, “OpenAIAgent.Netapi64.” This backdoor uses the OpenAI API to fetch encrypted commands, which are then decoded and executed locally. Execution results are subsequently sent back to OpenAI as messages. The “Netapi64.dll” is heavily obfuscated using Eazfuscator.NET for stealth and persistence.
Communication with the OpenAI API involves distinct message types within the Assistants API. The backdoor can receive “SLEEP” commands to pause execution, “Payload” commands to initiate task execution, and send “Result” messages to relay the outcomes of processed payloads. Microsoft reported sharing its findings with OpenAI, which subsequently identified and disabled the API key and associated account linked to the adversary’s activities.
The technical analysis reveals that the malware employs sophisticated techniques, including payload compression and layered encryption (symmetric and asymmetric), to obscure command data and exfiltrated results. The backdoor utilizes OpenAI’s Assistants API to query vector stores and assistants, embedding encrypted commands within messages.
Microsoft recommends several mitigation strategies, including regular auditing of firewall and web server logs, blocking C2 server communications, and configuring security settings like tamper protection and endpoint detection and response (EDR) in block mode. Microsoft Defender XDR offers detections for this threat, classifying it as Trojan:MSIL/Sesameop.A and Backdoor:MSIL/Sesameop.A.
This discovery highlights the evolving tactics of threat actors in leveraging legitimate, cutting-edge technologies for malicious purposes.