SesameOp Backdoor Explained: What You Need to Know About the OpenAI API Exploitation

In July 2025, Microsoft discovered a new backdoor called SesameOp, marking a new stage in cyber-espionage tactics. Unlike typical threats that depend on custom Command and Control (C2) infrastructures, this malware exploited the OpenAI Assistants API to communicate and exfiltrate data from compromised devices.

This blog outlines how SesameOp works, why it represents a shift in attacker behavior, and what steps organizations can take to detect and mitigate similar threats.

What Is SesameOp?

SesameOp is a covert backdoor discovered by Microsoft that abuses the OpenAI Assistants API to issue commands, execute payloads, and send results between attackers and compromised devices. It is designed to maintain long-term persistence, leverage legitimate cloud infrastructure for C2 operations, and evade traditional network defenses.

How Did Microsoft Uncover the SesameOp Backdoor?

The finding came during an investigation of a months-long breach, where attackers maintained persistence across multiple systems. Notably, Microsoft confirmed the campaign did not involve any OpenAI vulnerability, but instead showed how legitimate APIs can be misused by threat actors for covert operations.

How Does SesameOp Operate Within Compromised Systems?

SesameOp’s infection chain involves two main components: a loader named Netapi64.dll and a .NET-based backdoor called OpenAIAgent.Netapi64. The loader is heavily obfuscated using Eazfuscator.NET, a tool designed to obscure .NET code and hinder reverse engineering.

When executed, the DLL is injected into a host application using a technique known as .NET AppDomainManager injection, directed by a specifically crafted .config file. Once active, the loader establishes a persistence marker and ensures that only one instance of the malware runs at a time.

The core of SesameOp’s functionality lies within OpenAIAgent.Netapi64. Despite its name, it does not use OpenAI’s agent SDKs or model execution features. Instead, it establishes communication through the OpenAI Assistants API, effectively turning a legitimate interface into a covert command channel.

The backdoor retrieves encrypted commands from OpenAI, executes them locally, and sends the results back as messages – wrapped in multiple layers of encryption and compression to stay undetected. This abuse of a trusted cloud API makes traditional network-based detection mechanisms less effective.

SesameOp infection chain

How Does SesameOp Use the OpenAI Assistants API as a C2 Channel?

The OpenAI Assistants API, originally designed to let developers create custom AI-powered assistants, became the centerpiece of SesameOp’s covert communication channel. Here’s how it worked:

1. Command Retrieval:
   The malware fetched lists of Assistants and messages stored in the attacker’s OpenAI account using a valid API key. Each “Assistant” served as a placeholder for instructions or data exchange.
2. Task Execution:
   When the description field of an Assistant was set to “Payload,” SesameOp downloaded the associated message, decrypted it using AES and RSA encryption, decompressed it, and executed the payload.
3. Data Return:
   Once tasks were completed, the malware encrypted the results and uploaded them back to OpenAI as a message tagged “Result.” This round-trip process mimicked normal API interactions, making malicious activity blend seamlessly with legitimate traffic.
4. Obfuscation Techniques:
   The malware leveraged Base64 encoding, gzip compression, and asymmetric encryption to secure both incoming and outgoing data. These layers prevented defenders from easily inspecting the content of communications.

This technique of using public cloud APIs as intermediaries for malware operations allows attackers to bypass many conventional defenses. Security tools configured to trust traffic toward well-known services like OpenAI may inadvertently allow malicious exchanges to occur unnoticed.

What Did the Investigation Reveal About the Attackers’ Objectives?

Microsoft’s analysis determined that SesameOp was designed for long-term persistence and espionage rather than destructive activity. The attackers sought to quietly monitor and control compromised systems over an extended period.

During the investigation, researchers identified that the malware used multiple compromised Visual Studio utilities to sustain its presence. These utilities were tampered with through malicious library injections, allowing attackers to execute commands internally without relying on external connections.

The attackers demonstrated strong operational security, using encryption, proxy configurations, and mutexes to manage execution. Each compromised host used a unique identifier encoded in Base64 to establish its identity with the OpenAI API, further minimizing detection risks.

Microsoft and OpenAI’s Response

Following Microsoft’s findings, OpenAI and Microsoft collaborated to disable the malicious API key and associated account. The investigation confirmed that the account had not interacted with any OpenAI models beyond the API calls used for the backdoor’s C2 operations.

What Makes SesameOp a Notable Evolution in Cyber Threats?

The SesameOp campaign underscores a growing trend in cyber operations: the weaponization of legitimate cloud and AI services. Instead of hosting their own C2 infrastructure, which can be detected, blacklisted, or taken down, threat actors now exploit trusted APIs that organizations commonly whitelist.

This approach poses several challenges for defenders:

• Trust Exploitation: Communications to trusted services like OpenAI may not raise immediate red flags.
• Infrastructure Independence: The attackers avoided maintaining external servers, reducing their operational footprint.
• Encrypted Payloads: Layered encryption methods hindered visibility into command content and responses.
• Adaptive Persistence: By hiding inside normal API usage patterns, SesameOp demonstrated how attackers can adapt to modern, API-driven environments.

The approach of SesameOp

The case also highlights the importance of behavioral detection over signature-based methods. While the API calls themselves may appear benign, the context of their use – frequency, structure, and associated process activity – can signal malicious behavior.

How Can Organizations Mitigate the Risk of Similar Threats?

Microsoft recommends a series of proactive measures to help organizations detect and prevent similar misuse of legitimate APIs for malicious purposes:

• Conduct regular firewall and web server audits: Review logs frequently to identify unauthorized external connections, especially those to uncommon endpoints or unusual API usage patterns.
• Harden endpoint and network defenses: Use Windows Defender Firewall, intrusion prevention systems, and network firewalls to limit unnecessary outbound traffic and detect anomalies.
• Restrict non-standard connections: Review perimeter firewall and proxy settings to block unauthorized or non-standard port activity that could conceal C2 communications.
• Enable tamper protection and automated remediation: Ensure that Microsoft Defender for Endpoint is running in block mode with full automation enabled, allowing immediate response to detected threats.
• Activate advanced protection features: Turn on potentially unwanted application (PUA) protection, real-time scanning, and cloud-delivered protection to defend against evolving attacker techniques.
• Adopt behavioral monitoring and API auditing: Implement monitoring tools capable of identifying abnormal API usage patterns, especially interactions with cloud-based AI or data storage services.

To further enhance cybersecurity readiness, organizations can leverage SOCRadar’s Extended Threat Intelligence (XTI) platform. Our solutions provide continuous visibility into potential exposure points, track emerging threats, and deliver actionable intelligence to proactively defend against advanced attacks like SesameOp.

SOCRadar Attack Surface Management (ASM) module, Digital Footprint

By combining Microsoft’s mitigation guidance with SOCRadar’s comprehensive threat monitoring capabilities, security teams can better anticipate, detect, and neutralize evolving threats across their digital environments.

Full technical analysis and detailed mitigation strategies are available on Microsoft’s official blog.