AI Backdoor: SesameOp Malware Uses OpenAI API as Covert Command-and-Control Channel

Microsoft has uncovered a new strain of malware, dubbed SesameOp, and released detailed findings on its operation. This backdoor stands out for its unconventional design: its creators leveraged the OpenAI Assistants API as a covert command-and-control channel, allowing them to disguise malicious activity within infected systems and evade traditional detection mechanisms.

The intrusion was first identified in July 2025 during the investigation of a sophisticated attack in which an unidentified threat group maintained persistent access to a victim’s infrastructure for several months. Although the organization targeted has not been named, researchers uncovered an extensive network of internal web shells and malicious processes disguised as legitimate Visual Studio utilities. The attackers employed AppDomainManager injection, modifying configuration files to instruct executables to load a malicious dynamic library, Netapi64.dll, containing the backdoor’s core logic.

The library was heavily obfuscated using Eazfuscator.NET, enhancing its stealth capabilities. It acted as a loader for a .NET module named OpenAIAgent.Netapi64, which retrieved instructions through the OpenAI Assistants API. These encrypted commands were decrypted, executed in a separate thread, and the results were transmitted back via the same API. In effect, OpenAI’s infrastructure was exploited as a seemingly legitimate intermediary command node, rendering malicious traffic indistinguishable from ordinary API usage.

Communication between the malware and its command server was carried out through messages embedding key parameters in the description field. These parameters included SLEEP, used to pause execution temporarily; Payload, which delivered nested instructions; and Result, which relayed execution output back to the attacker.

Although the perpetrators remain unidentified, the operation highlights an emerging trend: the abuse of legitimate cloud platforms as covert communication channels. This significantly complicates detection, as the traffic appears indistinguishable from normal corporate API activity. Following Microsoft’s disclosure, the OpenAI security team conducted an internal audit, identified the suspicious API key, and promptly disabled the associated account.

According to Microsoft, SesameOp’s use reflects a deliberate effort to establish long-term, stealthy access to compromised infrastructure while maintaining operational control undetected. The OpenAI Assistants API, which served as the control medium, is slated for deprecation in August 2026, to be replaced by the upcoming Responses API.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy