Microsoft researchers have uncovered a new backdoor that hijacks OpenAI’s Assistants API to secretly control infected systems.
The newly identified backdoor, dubbed ‘SesameOp’, exploits OpenAI as a command and control (C2) channel, allowing it to communicate undetected.
Microsoft explained that the malware uses the API to fetch and execute attacker commands, then send results back to OpenAI, effectively hiding its activity within legitimate traffic. This is a novel threat tactic, that highlights how creative attackers are becoming.
The backdoor was uncovered in July 2025 during a complex security investigation where attackers had maintained persistent access to a target environment for months. Microsoft did not name the affected organization, but confirmed the discovery was part of a sophisticated intrusion campaign.
Technical Details of the Attack
The attack uses Microsoft Visual Studio utilities modified with malicious libraries through AppDomainManager injection. This enables execution of hidden processes that relay commands via OpenAI’s API.
Microsoft’s DART researchers describe SesameOp as “a covert backdoor purpose‑built to maintain persistence and allow a threat actor to stealthily manage compromised devices.”
The malware allowed attackers to control infected devices for months by exploiting legitimate cloud services, avoiding dedicated malicious infrastructure that might trigger alerts or be disabled during incident response.
According to Microsoft’s technical analysis, the infection chain includes a loader (Netapi64.dll) and a .NET backdoor (OpenAIAgent.Netapi64) that uses the OpenAI Assistants API as its C2 channel. The DLL (heavily obfuscated with Eazfuscator.NET) is designed with detection evasion as the goal, as well as persistence and secure communications.
At runtime Netapi64.dll is injected into the host process via .NET AppDomainManager injection, triggered by a specially crafted .config file that accompanies the host executable.
The communication mechanism relies on message “description” fields to signal commands:
- SLEEP – pauses activity for a specified duration.
- Payload – extracts and executes instructions in a separate thread.
- Result – sends processed results back to OpenAI to indicate command completion.
The technique allows attackers to blend in with normal network operations, making the malicious activity difficult to distinguish from legitimate API use.
Mitigation and Vendor Response
Microsoft have shared their findings with the broader security research community in an effort to disrupt this backdoor and prevent similar threats from succeeding. According to The Hacker News, OpenAI have identified and disabled the API key and account linked to the activity.
Microsoft and OpenAI are still working together to gain a greater understanding and to disrupt threat actors attempts to misuse emerging technologies.
