SesameOp Backdoor Uses OpenAI API for Covert C2 TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsCyberattacks & Data BreachesSesameOp Backdoor Uses OpenAI API for Covert C2SesameOp Backdoor Uses OpenAI API for Covert C2byElizabeth Montalbano, Contributing WriterNov 4, 20254 Min ReadApplication SecurityAI Developed Code: 5 Critical Security Checkpoints for Human OversightAI Developed Code: 5 Critical Security Checkpoints for Human OversightbyMatias MadouNov 3, 20254 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificRecent in World See AllThreat IntelligenceSilver Fox APT Blurs the Line Between Espionage & CybercrimeSilver Fox APT Blurs the Line Between Espionage & CybercrimebyNate Nelson, Contributing WriterAug 8, 20253 Min ReadThreat IntelligenceIran-Israel War Triggers a Maelstrom in CyberspaceIran-Israel War Triggers a Maelstrom in CyberspacebyNate Nelson, Contributing WriterJun 19, 20255 Min ReadThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsLibraryNewslettersPodcastsReportsVideosWebinarsWhite papers Partner PerspectivesSEE ALLCyberattacks & Data BreachesThreat IntelligenceVulnerabilities & ThreatsApplication SecurityNewsSesameOp Backdoor Uses OpenAI API for Covert C2SesameOp Backdoor Uses OpenAI API for Covert C2SesameOp Backdoor Uses OpenAI API for Covert C2Malware used in a months-long attack demonstrates how bad actors are misusing generative AI services in unique and stealthy ways.Elizabeth Montalbano, Contributing WriterNovember 4, 20254 Min ReadSource: Age Foto Stock via Alamy Stock PhotoA new backdoor uses an OpenAI API for command-and-control (C2) communications to covertly manage malicious activities within a compromised environment, demonstrating a unique way attackers can abuse generative AI services and tooling.Researchers from Microsoft's Detection and Response Team (DART) team discovered a backdoor dubbed "SesameOp" in July after responding to a security incident in which threat actors lurked undetected in an environment for several months, according to a blog post published Monday by Microsoft Incident Response. The covert backdoor, designed by threat actors to maintain persistence and allow them to manage compromised devices, is "consistent with the objective of the attack, which was determined to be long term-persistence for espionage-type purposes," according to the post.A unique aspect of SesameOp, however, is a component that uses the OpenAI Assistants API as a storage or relay mechanism to fetch commands, which the malware then runs. The API is a tool that allows developers to create custom AI assistants using Azure OpenAI models, enabling features like conversation management and task automation."Our investigation uncovered how a threat actor integrated the OpenAI Assistants API within a backdoor implant to establish a covert C2 channel, leveraging the legitimate service rather than building a dedicated infrastructure for issuing and receiving instructions," according to the post.Related:UNC6384 Targets European Diplomatic Entities With Windows ExploitThe attacker also employed other "sophisticated techniques" in its use of the API to secure and obfuscate C2 communications. These included compressing payloads to minimize size and using both layered symmetric and asymmetric encryption to protect command data and exfiltrated results.Deliberate Misuse of OpenAI APIMicrosoft researchers provided a deep dive into the attack and misuse of OpenAI in the blog post. After DART responded to the July incident, its investigation found a "complex arrangement of internal web shells," each of which was responsible for running commands relayed from persistent, strategically placed malicious processes, according to the post. These processes leveraged multiple Microsoft Visual Studio (VS) utilities that had been compromised with malicious libraries, "a defense evasion method known as .NET AppDomainManager injection," according to the post.It was when attackers were hunting across other VS utilities loading unusual libraries that they discovered additional files that could facilitate external communications with the internal Web shell structure, including SesameOps. The overall infection chain of the backdoor is comprised of a loader (Netapi64.dll) and a NET-based backdoor (OpenAIAgent.Netapi64) that leverages OpenAI as a C2 channel, according to the post. Related:Ribbon Communications Breach Marks Latest Telecom Attack"The dynamic link library (DLL) is heavily obfuscated using Eazfuscator.NET and is designed for stealth, persistence, and secure communication using the OpenAI Assistants API," according to the post. "Netapi64.dll is loaded at runtime into the host executable via .NET AppDomainManager injection, as instructed by a crafted .config file accompanying the host executable."Disclosure and Mitigation Microsoft's DART informed OpenAI of their findings and the two companies jointly investigated this misuse of the API. What they found is that it did not represent a vulnerability or misconfiguration of the tool, "but rather a way to misuse built-in capabilities of the OpenAI Assistants API," which itself will be phased out in August 2026, according to the post.OpenAI has since identified and disabled an API key and associated account believed to have been used by the threat actor as part of SesameOps. "The review confirmed that the account had not interacted with any OpenAI models or services beyond limited API calls," according to Microsoft Incident Response. Related:Dentsu Subsidiary Breached, Employee Data StolenMicrosoft and OpenAI said they will continue to collaborate to achieve a better understanding of how threat actors misuse emerging technologies so as to disrupt these efforts. Indeed, APIs can hold the keys to the kingdom for generative AI services and applications, and attackers have been quick to misuse and abuse them since the inception of the technology. In the meantime, Microsoft Incident Response offered several mitigations for defenders and recommended that organizations frequently audit and review firewalls and Web server logs, and be aware of all systems exposed directly to the Internet. They also should use a local firewall, intrusion prevention systems, and a network firewall to block C2 server communications across endpoints whenever feasible. "This approach can help mitigate lateral movement and other malicious activities," according to the post. Defenders also should review and configure perimeter firewall and proxy settings to limit unauthorized access to services, including connections through non-standard ports, according to Microsoft.About the AuthorElizabeth Montalbano, Contributing WriterElizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.See more from Elizabeth Montalbano, Contributing WriterMore InsightsIndustry ReportsIDC MarketScape: Worldwide Exposure Management 2025 Vendor AssessmentThe Forrester Wave™: Unified Vulnerability Management Solutions, Q3 2025Miercom Test Results: PA-5450 Firewall WinsSecurity Without Compromise Better security, higher performance and lower TCOThe Total Economic Impact™ Of Palo Alto Networks NextGeneration FirewallsAccess More ResearchWebinarsHow AI & Autonomous Patching Eliminate Exposure RisksThe Cloud is No Longer Enough: Securing the Modern Digital PerimeterSecuring the Hybrid Workforce: Challenges and SolutionsCybersecurity Outlook 2026Threat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesMore WebinarsYou May Also LikeEditor's ChoiceCybersecurity OperationsElectronic Warfare Puts Commercial GPS Users on NoticeElectronic Warfare Puts Commercial GPS Users on NoticebyRobert Lemos, Contributing WriterOct 21, 20254 Min ReadKeep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeNov 13, 2025During this event, we'll examine the most prolific threat actors in cybercrime and cyber espionage, and how they target and infiltrate their victims.Secure Your SeatWebinarsHow AI & Autonomous Patching Eliminate Exposure RisksOn-DemandThe Cloud is No Longer Enough: Securing the Modern Digital PerimeterTues, Nov 18, 2025 at 1pm ESTSecuring the Hybrid Workforce: Challenges and SolutionsTues, Nov 4, 2025 at 1pm ESTCybersecurity Outlook 2026Virtual Event | December 3rd, 2025 | 11:00am - 5:20pm ET | Doors Open at 10:30am ETThreat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesTuesday, Oct 21, 2025 at 1pm ESTMore WebinarsWhite PapersHow to Chart a Path to Exposure Management MaturitySecurity Leaders' Guide to Exposure Management StrategyThe NHI Buyers GuideThe AI Security GuideTop 10 Identity-Centric Security Risks of Autonomous AI AgentsExplore More White PapersDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2025 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of Use

The Microsoft Detection and Response Team (DART) uncovered a sophisticated backdoor, dubbed “SesameOp,” demonstrating a novel method for attackers to leverage the OpenAI Assistants API for covert command-and-control (C2) operations. This discovery highlights a concerning trend: the misuse of generative AI services by malicious actors. The backdoor, utilized over a months-long period, exemplifies how attackers are adapting to emerging technologies to maintain persistent access and conduct espionage. Researchers discovered SesameOp through a security incident, noting that the attacker had skillfully blended into the environment, making the detection challenging.

A key element of the SesameOp backdoor was its utilization of the OpenAI Assistants API. Instead of establishing a dedicated C2 infrastructure, the attacker cleverly integrated this legitimate service, allowing it to fetch commands and relay results. This approach masked the malware’s activity, making it difficult to trace back to its source. The attackers also employed sophisticated techniques to secure and obfuscate C2 communications, including compression and layered encryption, further complicating detection efforts. The back door utilized a complex arrangement of internal web shells, leveraging Microsoft Visual Studio (VS) utilities with compromised libraries via .NET AppDomainManager injection.

The investigation revealed a loader (Netapi64.dll) and a NET-based backdoor (OpenAIAgent.Netapi64) that leveraged OpenAI as its C2 channel. The DLL was heavily obfuscated using Eazfuscator.NET and designed for stealth, persistence, and secure communication via the OpenAI Assistants API. This API, slated for deprecation in August 2026, was being abused to create a covert communication channel. Microsoft and OpenAI collaborated to investigate the incident, and they confirmed that the misuse wasn't due to a vulnerability but a deliberate exploitation of the API’s capabilities. The attackers had identified and disabled an API key believed to have been used by the threat actor.

The incident underscored the importance of proactive security measures, including frequent audits of firewall and web server logs, along with awareness of all systems exposed directly to the internet. Defenses should include local firewalls, intrusion prevention systems, and network firewalls to block C2 server communications. The discovery of SesameOp provides a crucial case study for organizations seeking to understand and mitigate the potential risks posed by the evolving landscape of generative AI and emerging technologies.