Microsoft has disclosed details of a novel backdoor dubbed SesameOp that uses OpenAI Assistants Application Programming Interface (API) for command-and-control (C2) communications.
“Instead of relying on more traditional methods, the threat actor behind this backdoor abuses OpenAI as a C2 channel as a way to stealthily communicate and orchestrate malicious activities within the compromised environment,” the Detection and Response Team (DART) at Microsoft Incident Response said in a technical report published Monday.
“To do this, a component of the backdoor uses the OpenAI Assistants API as a storage or relay mechanism to fetch commands, which the malware then runs.”
The tech giant said it discovered the implant in July 2025 as part of a sophisticated security incident in which unknown threat actors had managed to maintain persistence within the target environment for several months. It did not name the impacted victim.
Further investigation into the intrusion activity has led to the discovery of what it described as a “complex arrangement” of internal web shells, which are designed to execute commands relayed from “persistent, strategically placed” malicious processes. These processes, in turn, leverage Microsoft Visual Studio utilities that were compromised with malicious libraries, an approach referred to as AppDomainManager injection.
SesameOp is a custom backdoor engineered to maintain persistence and allow a threat actor to covertly manage compromised devices, indicating that the attack’s overarching goal was to ensure long-term access for espionage efforts.
OpenAI Assistants API enables developers to integrate artificial intelligence (AI)-powered agents directly into their applications and workflows. The API is scheduled for deprecation by OpenAI in August 2026, with the company replacing it with a new Responses API.
The infection chain, per Microsoft, includes a loader component (“Netapi64.dll”) and a .NET-based backdoor (“OpenAIAgent.Netapi64”) that leverages the OpenAI API as a C2 channel to fetch encrypted commands, which are subsequently decoded and executed locally. The results of the execution are sent back to OpenAI as a message.
“The dynamic link library (DLL) is heavily obfuscated using Eazfuscator.NET and is designed for stealth, persistence, and secure communication using the OpenAI Assistants API,” the company said. “Netapi64.dll is loaded at runtime into the host executable via .NET AppDomainManager injection, as instructed by a crafted .config file accompanying the host executable.”
The message supports three types of values in the description field of the Assistants list retrieved from OpenAI –
- SLEEP, to allow the process thread to sleep for a specified duration
- Payload, to extract the contents of the message from the instructions field and invoke it in a separate thread for execution
- Result, to transmit the processed result to OpenAI as a new message in which the description field is set to “Result” to signal the threat actor that the output of the execution of the payload is available
It’s currently not clear who is behind the malware, but the development illustrates continued abuse of legitimate tools for malicious purposes to blend in with normal network activity and sidestep detection. Microsoft said it shared its findings with OpenAI, which identified and disabled an API key and associated account believed to have been used by the adversary.
