Microsoft’s Incident Response – Detection and Response Team (DART) has uncovered a previously undocumented backdoor named ‘SesameOp’ that uses the OpenAI Assistants Application Programming Interface (API) as a command-and-control (C&C) channel to stealthily manage compromised systems.
OpenAI Assistants is a feature within the OpenAI platform that allows developers and organizations to create custom AI agents tailored to specific tasks, workflows, or domains. These Assistants are built on top of OpenAI’s models (like GPT-4 or GPT-4.1) and can be extended with additional capabilities. It should be noted that the OpenAI Assistants API is scheduled for deprecation in August 2026.
DART discovered SesameOp during a July 2025 response to a sophisticated intrusion in which threat actors had maintained long-term access. The attack used a layered approach, which involved internal web shells that relayed commands from persistent malicious processes. These processes utilized multiple Microsoft Visual Studio utilities that were loading unusual, compromised libraries. The malicious libraries were being injected into host processes via a .NET AppDomainManager injection technique.
The infection chain uses a loader (Netapi64.dll) and a .NET-based backdoor component (OpenAIAgent.Netapi64) that leverages OpenAI as a C&C channel. The DLL is loaded at runtime into the host executable via .NET AppDomainManager injection, as instructed by a crafted .config file accompanying the host executable. OpenAIAgent.Netapi64 contains the main functionality that enables the backdoor to operate.
Notably, OpenAIAgent.Netapi64 does not use OpenAI agent software development kits (SDKs) or model execution features. Instead, it uses OpenAI Assistants API to fetch commands, which the malware then decrypts and executes locally. Once the tasks are completed, it sends the results back to OpenAI as a message.
