SesameOp Backdoor: How Attackers Weaponized OpenAI's Assistants API for Covert Operations

Microsoft's Detection and Response Team (DART) has identified a new backdoor malware called SesameOp, which represents a shift in how attackers hide their command-and-control (C2) communications. Instead of building their own infrastructure that security teams can easily spot and block, the operators behind SesameOp are using OpenAI's legitimate Assistants API as their covert communication channel.

Discovery and Timeline

The investigation began in July 2025, when Microsoft specialists responded to a cyberattack that had been active for several months. During their analysis, the team discovered that attackers had maintained remote control over infected systems without triggering standard detection mechanisms. This prolonged access suggests the malware was purpose-built for long-term espionage rather than quick data theft or system disruption.

How the Attack Works

SesameOp operates through a multi-stage process that blends legitimate cloud services with malicious intent. The attack sequence breaks down into several key components:

Initial Deployment

The malware enters victim systems through .NET AppDomainManager injection, a technique that affects Microsoft Visual Studio utilities. This method allows the backdoor to load into memory without creating obvious file-based indicators that traditional antivirus solutions might catch. Furthermore, the attackers deployed a heavily obfuscated loader alongside a .NET backdoor, making reverse engineering and detection more difficult for security teams.

Command-and-Control Channel

Here's where SesameOp differs from typical backdoors: instead of connecting to attacker-controlled servers (which can be identified through network monitoring and threat intelligence feeds), the malware communicates through OpenAI's Assistants API. This approach provides several benefits to the attackers:

1. The traffic appears legitimate, since it's connecting to a trusted cloud service
2. Security teams are less likely to block OpenAI domains
3. The infrastructure is maintained by OpenAI, not the attackers
4. Standard C2 detection signatures won't match this traffic pattern

Operational Process

The backdoor follows a specific workflow for receiving and executing commands:

1. SesameOp retrieves compressed and encrypted instructions via the Assistants API
2. The malware decrypts these commands locally on the infected system
3. Commands are executed based on attacker objectives
4. Data collected from victim devices is encrypted using both symmetric and asymmetric encryption methods
5. Encrypted information is transmitted back through the same API channel

Per Microsoft Incident Response analysts, "Ahead of this backdoor, instead of traditional methods, [attackers] are abusing the OpenAI service as a C2 channel for covert communication and to orchestrate malicious activity within a compromised environment."

Persistence Mechanisms

SesameOp maintains its presence through internal web shells and malicious processes designed for long-term operations. These persistence methods ensure the backdoor survives system reboots and remains active even if security teams remove other malware components. In my opinion, this focus on stealth and longevity clearly points to cyber espionage objectives rather than financially motivated cybercrime.

Technical Analysis and Implications

What makes this case particularly interesting is that SesameOp doesn't exploit any vulnerabilities or misconfigurations in the OpenAI platform. The attackers are simply using the Assistants API exactly as it was designed to function. This raises important questions about how legitimate cloud services can be repurposed for malicious activity without requiring any actual security flaws.

The use of cloud-based APIs for C2 communication isn't entirely new—security researchers have documented similar techniques using services like Slack, Discord, and Twitter in previous years. However, the integration with OpenAI's platform represents a new variation that security teams need to account for in their detection strategies.

Response and Mitigation

Microsoft and OpenAI conducted a joint investigation following the discovery of SesameOp. The collaborative effort led to several concrete actions:

1. Identification and termination of the attackers' OpenAI account
2. Revocation of the compromised API key
3. Blocking of infrastructure connected to the malicious campaign

In addition, Microsoft has shared indicators of compromise (IOCs) and detection guidance with security teams to help identify potential SesameOp infections in their environments.

Lessons for Security Teams

This incident highlights several important considerations for defenders:

API Monitoring

Organizations need to monitor API traffic to cloud services, even when those services are legitimate and trusted. Baseline normal usage patterns and investigate anomalies such as unusual data volumes, connection frequencies, or access from unexpected systems.

Defense in Depth

Relying solely on blocking known-bad domains and IP addresses isn't sufficient. Security teams should implement multiple detection layers, including behavior-based monitoring, memory analysis, and process execution tracking.

Cloud Service Usage Policies

Review which cloud APIs your organization uses and establish policies for their legitimate use. This makes it easier to spot unauthorized API connections that might indicate compromise.

.NET Security

The use of AppDomainManager injection suggests organizations running .NET applications should review their security configurations. Microsoft has published guidance on hardening .NET environments against this type of attack vector.

Looking Ahead

The SesameOp case demonstrates how attackers continue to adapt their techniques to evade detection. By leveraging trusted services rather than building suspicious infrastructure, they make it harder for security teams to distinguish malicious traffic from legitimate business activity.

Security professionals should expect to see more variations of this technique targeting different cloud platforms and APIs. The key to defending against these attacks lies in understanding normal behavior in your environment and detecting deviations, rather than relying exclusively on signature-based detection or blocklists.

Organizations should also work closely with their cloud service providers to understand how to monitor for abuse of APIs and what indicators might suggest malicious usage. As this investigation shows, collaboration between security teams and platform providers can be effective in disrupting these operations once they're identified.

About the Investigation: This analysis is based on reporting from Microsoft's Detection and Response Team (DART) and Microsoft Incident Response. Organizations concerned about potential SesameOp infections should consult Microsoft's published IOCs and detection guidance.