SesameOp

SesameOp is a backdoor malware family discovered by Microsoft Incident Response’s Detection and Response Team (DART) in July 2025 during response to a sophisticated intrusion. Microsoft assessed the operation as long-term persistence for espionage-type purposes. The malware abuses the OpenAI Assistants API as a covert command-and-control channel, embedding command exchange in legitimate-looking API traffic rather than using traditional attacker-controlled infrastructure. Multiple sources describe this as the first confirmed case of an LLM API being repurposed for covert C2.

The observed infection chain includes a heavily obfuscated .NET loader, Netapi64.dll, and a .NET backdoor component, OpenAIAgent.Netapi64. The loader was reported as obfuscated with Eazfuscator.NET and loaded into host executables via .NET AppDomainManager injection directed by a crafted .config file. Microsoft reported the broader intrusion also involved compromised Microsoft Visual Studio utilities, internal web shells, and malicious processes used to maintain access. SesameOp uses AppDomainManager injection for persistence and defense evasion, and was observed persisting inside otherwise legitimate host processes, including developer tools.

Functionally, OpenAIAgent.Netapi64 provides the main backdoor capability. It reads configuration from a .NET resource section containing an OpenAI API key, a dictionary key selector, and an optional proxy. It creates the mutex "OpenAI APIS," Base64-encodes the hostname, queries the OpenAI account for vector stores, and retrieves Assistants using pagination. The malware uses Assistant description fields such as SLEEP, Payload, and Result as task indicators. For payload execution, it retrieves a message by thread ID and message ID, then processes a payload consisting of a Base64-encoded AES key protected with a hardcoded RSA key pair and a second blob that is AES-decrypted and GZIP-decompressed. Commands are therefore compressed and protected with layered symmetric and asymmetric encryption. The malware executes attacker-provided code on the victim host, including via a Microsoft JScript VsaEngine call to Eval.JScriptEvaluate, and then compresses, encrypts, and posts execution results back through the OpenAI Assistants API as new messages. Its traffic blends into normal HTTPS communication with api.openai.com, making network-based detection more difficult.

Reported host artifacts include creation of C:\Windows\Temp\Netapi64.start, logging of exceptions to C:\Windows\Temp\Netapi64.Exception, enumeration of C:\Windows\Temp\ for a file ending in .Netapi64, and use of a mutex to ensure a single in-memory instance. Microsoft Defender Antivirus detections cited in the content are Trojan:MSIL/Sesameop.A for the loader and Backdoor:MSIL/Sesameop.A for the backdoor.

Microsoft and OpenAI jointly investigated the abuse and disabled the API key and associated account believed to be used by the actor. The content states this activity was a misuse of legitimate OpenAI API functionality, not exploitation of an OpenAI vulnerability or misconfiguration.