Executive Summary

In July 2025, Microsoft’s Detection and Response Team (DART) identified a highly sophisticated malware campaign leveraging the SesameOp backdoor, which uniquely abuses the OpenAI Assistants API as a covert command-and-control (C2) channel. This innovative TTP (Tactics, Techniques, and Procedures) enables threat actors to blend malicious C2 traffic with legitimate API usage, effectively bypassing traditional network security controls and evading detection. The campaign demonstrates advanced persistence mechanisms, including .NET AppDomainManager injection, multi-layered obfuscation, and encrypted payload delivery. The use of a mainstream AI service for C2 marks a significant evolution in adversarial tradecraft, raising the bar for defenders and necessitating new detection and mitigation strategies. As of this report, there is no public attribution to a specific threat group, but the operational sophistication and focus on stealth strongly suggest a state-sponsored or highly resourced espionage actor. Organizations using Microsoft Visual Studio utilities and permitting outbound access to api.openai.com are at elevated risk and should review the technical details and mitigation guidance provided herein.

Threat Actor Profile

The operators behind SesameOp have not been publicly attributed to any known Advanced Persistent Threat (APT) group or nation-state. However, the campaign’s technical sophistication, operational security, and focus on long-term persistence are hallmarks of a highly resourced, likely state-sponsored, espionage actor. The threat actor demonstrates deep familiarity with .NET internals, advanced obfuscation techniques, and the ability to weaponize legitimate cloud-based APIs for malicious C2. The campaign’s targeting and tradecraft suggest a focus on high-value enterprise environments, particularly those with developer tooling such as Microsoft Visual Studio. The actor’s use of the OpenAI Assistants API for C2 is unprecedented, indicating a willingness to innovate and exploit emerging technologies to evade detection and maximize operational longevity.

Technical Analysis of Malware/TTPs

The SesameOp malware campaign is characterized by a multi-stage infection chain, advanced persistence, and the abuse of the OpenAI Assistants API for C2. The initial infection vector is believed to be the compromise of Microsoft Visual Studio utilities, where attackers deploy a malicious, obfuscated DLL named Netapi64.dll. This loader is protected with Eazfuscator.NET obfuscation and is configured to persist via .NET AppDomainManager injection, achieved by modifying or planting crafted .config files alongside the targeted utilities.

Upon execution, the loader creates a marker file at C:\Windows\Temp\Netapi64.start to ensure a single instance is running, and establishes a mutex named OpenAI APIS. It then loads and XOR-decodes a secondary payload from C:\Windows\Temp\.Netapi64, handling exceptions by writing to C:\Windows\Temp\Netapi64.Exception. The main backdoor component, OpenAIAgent.Netapi64, is responsible for C2 communications and is configured via a resource section (TextFile1) containing the OpenAI API key, a dictionary key name, and an optional proxy.

The C2 channel is established by interacting with the OpenAI Assistants API. The malware uses the API’s vector store to uniquely identify infected hosts (by base64-encoding the hostname) and leverages up to 100 assistants per account for tasking. The description field of each assistant is used to signal state and tasking: SLEEP indicates idleness, Payload instructs the host to fetch and execute a command, and Result is used to exfiltrate command output. Payloads are AES-encrypted, RSA-protected, and GZIP-compressed, then decrypted and executed via the JScript engine on the victim host. Results are similarly encrypted and posted back as messages to the OpenAI API, effectively hiding malicious traffic within legitimate API calls.

Obfuscation and evasion are central to SesameOp’s design. The use of Eazfuscator.NET complicates static analysis, while layered encryption and compression hinder dynamic inspection. By routing all C2 traffic through api.openai.com, the malware evades traditional C2 blacklists and blends into normal enterprise traffic, especially in environments where AI services are permitted.

Exploitation in the Wild

The SesameOp campaign was first detected in July 2025 during a months-long intrusion into an unnamed organization. The attackers achieved initial access by compromising Microsoft Visual Studio utilities, deploying the obfuscated loader and establishing persistence via .NET AppDomainManager injection. The malware maintained long-term access by deploying internal web shells and malicious processes, ensuring continued control even if initial access vectors were remediated.

All command and result traffic was relayed through the OpenAI Assistants API, rendering traditional network-based detection and C2 blacklisting ineffective. The campaign’s use of a mainstream AI service for C2 is a significant innovation, as it allows malicious traffic to blend seamlessly with legitimate business operations, complicating both detection and response. The attackers demonstrated a high degree of operational security, rotating API keys and leveraging the flexibility of the OpenAI platform to manage multiple infected hosts concurrently.

Victimology and Targeting

Public reporting has not disclosed specific sectors, geographies, or organizations targeted by SesameOp. However, the campaign’s reliance on compromised Microsoft Visual Studio utilities suggests a focus on environments where developer tools are prevalent, such as software development firms, technology companies, and enterprises with in-house development teams. The use of advanced persistence and stealth techniques indicates a preference for high-value targets where long-term access can yield significant intelligence or strategic advantage. Organizations permitting outbound access to api.openai.com and lacking granular monitoring of API usage are particularly vulnerable.

Mitigation and Countermeasures

To defend against SesameOp and similar threats, organizations should implement a multi-layered security strategy. Begin by auditing and reviewing firewall and web proxy logs for unusual outbound connections to api.openai.com, especially from non-browser processes or unexpected hosts. Block unauthorized access to the OpenAI API from endpoints and servers that do not require it for legitimate business purposes. Monitor for suspicious .NET AppDomainManager injection activity, which may indicate the presence of obfuscated loaders or malicious persistence mechanisms.

Enable tamper protection and real-time protection in Microsoft Defender or equivalent endpoint security solutions. Deploy Endpoint Detection and Response (EDR) in block mode to prevent execution of unknown or suspicious artifacts. Regularly review and restrict the use of third-party APIs in sensitive environments, and enforce least-privilege access controls for developer tools and utilities.

For detection, leverage the following Microsoft Defender XDR query to identify anomalous connections to the OpenAI API:

kusto DeviceNetworkEvents | where RemoteUrl endswith "api.openai.com" | summarize Connections = count() by DayOfConnection = bin(TimeGenerated, 1d), DeviceName, InitiatingProcessFileName, RemoteUrl | summarize TotalConnections = sum(Connections), DaysWithConnections = dcount(DayOfConnection), DistinctDevices = dcount(DeviceName) by InitiatingProcessFileName, RemoteUrl

Additionally, apply the SOC Prime Sigma Rule for SesameOp to enhance detection coverage across SIEM platforms.

Organizations should also review the integrity of Microsoft Visual Studio utilities and associated .config files, ensuring that only authorized and verified components are present. Consider implementing application whitelisting and code integrity policies to prevent unauthorized DLL injection and execution.

References

Microsoft Security Blog: SesameOp: Novel backdoor uses OpenAI Assistants API for command and control https://www.microsoft.com/en-us/security/blog/2025/11/03/sesameop-novel-backdoor-uses-openai-assistants-api-for-command-and-control/

SecurityWeek: SesameOp Malware Abuses OpenAI API https://www.securityweek.com/sesameop-malware-abuses-openai-api/

CSO Online: New backdoor 'SesameOp' abuses OpenAI Assistants API for stealthy C2 operations https://www.csoonline.com/article/4083999/new-backdoor-sesameop-abuses-openai-assistants-api-for-stealthy-c2-operations.html

SOC Prime: SesameOp Backdoor Detection https://socprime.com/blog/sesameop-backdoor-detection/

The Hacker News: Microsoft Detects "SesameOp" Backdoor Using OpenAI's API as a C2 Channel https://thehackernews.com/2025/11/microsoft-detects-sesameop-backdoor.html

BleepingComputer: Microsoft: SesameOp malware abuses OpenAI Assistants API in attacks https://www.bleepingcomputer.com/news/security/microsoft-sesameop-malware-abuses-openai-assistants-api-in-attacks/

About Rescana

Rescana is a leader in Third-Party Risk Management (TPRM), providing organizations with a comprehensive platform to assess, monitor, and mitigate cyber risks across their extended supply chain. Our advanced threat intelligence and automation capabilities empower security teams to proactively identify emerging threats, streamline risk assessments, and enhance overall cyber resilience. For further technical details, detection rules, and incident response support, we are happy to answer questions at ops@rescana.com.