Nov 04, 2025Ravie LakshmananArtificial Intelligence / Malware
Microsoft has disclosed particulars of a novel backdoor dubbed SesameOp that makes use of OpenAI Assistants Software Programming Interface (API) for command-and-control (C2) communications.
“As a substitute of counting on extra conventional strategies, the risk actor behind this backdoor abuses OpenAI as a C2 channel as a technique to stealthily talk and orchestrate malicious actions throughout the compromised atmosphere,” the Detection and Response Group (DART) at Microsoft Incident Response stated in a technical report revealed Monday.
“To do that, a part of the backdoor makes use of the OpenAI Assistants API as a storage or relay mechanism to fetch instructions, which the malware then runs.”
The tech big stated it found the implant in July 2025 as a part of a classy safety incident during which unknown risk actors had managed to keep up persistence throughout the goal atmosphere for a number of months. It didn’t title the impacted sufferer.
Additional investigation into the intrusion exercise has led to the invention of what it described as a “advanced association” of inside internet shells, that are designed to execute instructions relayed from “persistent, strategically positioned” malicious processes. These processes, in flip, leverage Microsoft Visible Studio utilities that had been compromised with malicious libraries, an method known as AppDomainManager injection.
SesameOp is a customized backdoor engineered to keep up persistence and permit a risk actor to covertly handle compromised units, indicating that the assault’s overarching objective was to make sure long-term entry for espionage efforts.
OpenAI Assistants API allows builders to combine synthetic intelligence (AI)-powered brokers immediately into their purposes and workflows. The API is scheduled for deprecation by OpenAI in August 2026, with the corporate changing it with a brand new Responses API.
The an infection chain, per Microsoft, features a loader part (“Netapi64.dll”) and a .NET-based backdoor (“OpenAIAgent.Netapi64”) that leverages the OpenAI API as a C2 channel to fetch encrypted instructions, that are subsequently decoded and executed regionally. The outcomes of the execution are despatched again to OpenAI as a message.
“The dynamic hyperlink library (DLL) is closely obfuscated utilizing Eazfuscator.NET and is designed for stealth, persistence, and safe communication utilizing the OpenAI Assistants API,” the corporate stated. “Netapi64.dll is loaded at runtime into the host executable by way of .NET AppDomainManager injection, as instructed by a crafted .config file accompanying the host executable.”
The message helps three forms of values within the description subject of the Assistants record retrieved from OpenAI –
SLEEP, to permit the method thread to sleep for a specified length
Payload, to extract the contents of the message from the directions subject and invoke it in a separate thread for execution
Outcome, to transmit the processed end result to OpenAI as a brand new message during which the outline subject is ready to “Outcome” to sign the risk actor that the output of the execution of the payload is out there
It is at the moment not clear who’s behind the malware, however the improvement indicators continued abuse of reliable instruments for malicious functions to mix in with regular community exercise and sidestep detection. Microsoft stated it shared its findings with OpenAI, which recognized and disabled an API key and related account believed to have been utilized by the adversary.
