Executive Summary

Publication Date: November 3, 2025

Microsoft’s Detection and Response Team (DART) has uncovered a sophisticated backdoor, named SesameOp, which leverages the OpenAI Assistants API as a covert command-and-control (C2) channel. This innovative approach allows attackers to blend malicious activity with legitimate API communications, significantly complicating detection and mitigation efforts. This report provides a comprehensive analysis of the technical mechanisms, security implications, supply chain risks, and compliance considerations associated with SesameOp, drawing on authoritative sources and industry commentary.

Introduction

The discovery of SesameOp marks a pivotal moment in the evolution of cyber threats, as attackers increasingly exploit trusted cloud APIs to evade traditional security controls. By abusing the OpenAI Assistants API, the threat actors behind SesameOp have demonstrated a new level of stealth and persistence, raising the bar for defenders and highlighting the urgent need for enhanced monitoring of third-party service dependencies.

Technical Analysis

SesameOp is engineered for long-term persistence and espionage. Its architecture consists of a loader, Netapi64.dll, and a .NET-based backdoor, OpenAIAgent.Netapi64, both of which are heavily obfuscated to evade detection. The malware employs Eazfuscator.NET for code obfuscation, and utilizes layered encryption—combining AES and RSA—alongside GZIP compression to protect payloads and exfiltrated data.

A key innovation is the abuse of the OpenAI Assistants API as a storage and relay mechanism for encrypted commands and results. The malware dynamically configures itself using embedded .NET resources, including API keys and proxy settings, and creates or manages OpenAI Assistants and vector stores to facilitate covert communication.

The infection chain begins with the loader, which injects the backdoor into the target process using .NET AppDomainManager injection. Once established, the backdoor fetches encrypted commands from the OpenAI API, executes them locally, and exfiltrates the results back to the attacker via the same API channel. This method allows malicious traffic to blend seamlessly with legitimate business operations, making detection extremely challenging.

Key Innovations and Differentiators

The most significant innovation in SesameOp is its use of a legitimate, widely adopted cloud API—OpenAI Assistants—for C2 operations. This approach enables attackers to evade traditional network monitoring and threat intelligence feeds, leverage trusted third-party infrastructure to complicate attribution and takedown, and use legitimate API calls that are difficult to distinguish from normal business activity.

As noted by the Microsoft Security Blog: “Instead of relying on more traditional methods, the threat actor behind this backdoor abuses OpenAI as a C2 channel as a way to stealthily communicate and orchestrate malicious activities within the compromised environment. To do this, a component of the backdoor uses the OpenAI Assistants API as a storage or relay mechanism to fetch commands, which the malware then runs.”

Security Implications and Potential Risks

The use of the OpenAI API as a C2 channel introduces several critical risks. Malicious and legitimate traffic are indistinguishable at the network level, increasing attacker dwell time and reducing detection rates. Abuse of trusted cloud services can bypass perimeter defenses and evade incident response, while long-term persistence enables extensive espionage and data exfiltration.

According to BleepingComputer: “Deploying this malware also enabled the threat actors to remotely manage backdoored devices for several months by leveraging legitimate cloud services, rather than relying on dedicated malicious infrastructure that could alert victims to an attack and be taken down during subsequent incident response.”

Supply Chain and Third-Party Dependencies

SesameOp’s reliance on the OpenAI API underscores the risks associated with third-party service dependencies. Attackers can exploit any widely adopted API or SaaS platform for covert operations, making it essential for organizations to monitor and control outbound connections to cloud APIs, even those considered trusted. The scheduled deprecation of the OpenAI Assistants API in August 2026 may prompt attackers to shift focus to other APIs, further complicating the threat landscape.

Security Controls and Compliance Requirements

In response to the discovery, Microsoft and OpenAI collaborated to disable the malicious API key and account. Recommended security controls include auditing and reviewing firewall and web server logs for unusual API traffic, blocking unauthorized outbound connections to cloud APIs, enabling endpoint detection and response (EDR) in block mode, enforcing tamper protection and automated remediation in security solutions, and monitoring for .NET AppDomainManager injection and unusual Visual Studio utility behavior.

Industry Adoption and Integration Challenges

The SesameOp attack highlights the risks of integrating third-party APIs and the need for enhanced monitoring of API usage and cloud service dependencies. Organizations must implement stronger controls over developer and service accounts with API access, and update incident response playbooks to address cloud-based C2 scenarios.

Vendor Security Practices and Track Record

Microsoft and OpenAI demonstrated responsible disclosure and rapid response by investigating and disrupting the attack. However, the incident underscores the need for continuous monitoring of API usage patterns, proactive threat hunting for abuse of cloud services, and transparent communication between vendors and customers regarding emerging threats.

Technical Specifications

The SesameOp loader is Netapi64.dll, an obfuscated .NET-based component. The backdoor, OpenAIAgent.Netapi64, communicates with the OpenAI Assistants API using encrypted and compressed payloads. Persistence is achieved through .NET AppDomainManager injection and internal web shells. Detection is possible with Microsoft Defender XDR, EDR solutions, and custom hunting queries.

Authoritative Source Quotes

“Instead of relying on more traditional methods, the threat actor behind this backdoor abuses OpenAI as a C2 channel as a way to stealthily communicate and orchestrate malicious activities within the compromised environment. To do this, a component of the backdoor uses the OpenAI Assistants API as a storage or relay mechanism to fetch commands, which the malware then runs.” Source: Microsoft Security Blog https://www.microsoft.com/en-us/security/blog/2025/11/03/sesameop-novel-backdoor-uses-openai-assistants-api-for-command-and-control/

“The infection chain, per Microsoft, includes a loader component ("Netapi64.dll") and a .NET-based backdoor ("OpenAIAgent.Netapi64") that leverages the OpenAI API as a C2 channel to fetch encrypted commands, which are subsequently decoded and executed locally. The results of the execution are sent back to OpenAI as a message.” Source: The Hacker News https://thehackernews.com/2025/11/microsoft-detects-sesameop-backdoor.html

“Deploying this malware also enabled the threat actors to remotely manage backdoored devices for several months by leveraging legitimate cloud services, rather than relying on dedicated malicious infrastructure that could alert victims to an attack and be taken down during subsequent incident response.” Source: BleepingComputer https://www.bleepingcomputer.com/news/security/microsoft-sesameop-malware-abuses-openai-assistants-api-in-attacks/

“Microsoft states that the malware doesn't exploit a vulnerability or misconfiguration in OpenAI's platform, but rather misuses built-in capabilities of the Assistants API (scheduled for deprecation in August 2026). Microsoft and OpenAI collaborated to investigate the threat actors' abuse of the API, which led to the identification and disabling of the account and API key used in the attacks.” Source: BleepingComputer https://www.bleepingcomputer.com/news/security/microsoft-sesameop-malware-abuses-openai-assistants-api-in-attacks/

“The stealthy nature of SesameOp is consistent with the objective of the attack, which was determined to be long term-persistence for espionage-type purposes.” Source: Microsoft Security Blog https://www.microsoft.com/en-us/security/blog/2025/11/03/sesameop-novel-backdoor-uses-openai-assistants-api-for-command-and-control/

Cyber Perspective

From a security expert’s perspective, SesameOp represents a significant evolution in attacker tradecraft. By leveraging trusted third-party APIs for C2, attackers can bypass many traditional security controls and remain undetected for extended periods. This technique is likely to proliferate as more organizations adopt cloud-based services and APIs, increasing the attack surface and complicating incident response.

For defenders, this means enhanced monitoring of all outbound API traffic, not just to known malicious domains, greater scrutiny of third-party and supply chain dependencies, the need for advanced behavioral analytics to detect subtle anomalies in API usage, and increased collaboration with vendors to quickly identify and disrupt abuse of legitimate services.

For the market, this attack highlights the urgent need for API security solutions, improved supply chain risk management, and more robust cloud security postures. Organizations must treat all external API connections as potential risk vectors and implement zero trust principles across their environments.

About Rescana

Rescana’s Third-Party Risk Management (TPRM) solutions are designed to help organizations identify, assess, and mitigate risks associated with supply chain and third-party dependencies. Our platform provides continuous monitoring, automated risk assessments, and actionable insights to ensure your organization’s ecosystem remains secure—even as attackers evolve their tactics. Whether you’re concerned about API abuse, cloud service risks, or vendor security practices, Rescana empowers you to stay ahead of emerging threats and maintain compliance with industry standards. Reach out to learn how we can help you strengthen your third-party risk management program.

We are happy to answer any questions at ops@rescana.com.