SesameOp malware abuses OpenAI Assistants API in attacks
Microsoft security researchers have discovered a new backdoor malware that uses the OpenAI Assistants API as a covert command-and-control channel.
The company’s Detection and Response Team (DART) discovered the new malware, named SesameOp, during an investigation into a July 2025 cyberattack, which revealed that the malware allowed attackers to gain persistent access to the compromised environment.
Deploying this malware also enabled the threat actors to remotely manage backdoored devices for several months by leveraging legitimate cloud services, rather than relying on dedicated malicious infrastructure that could alert victims to an attack and be taken down during subsequent incident response.
“Instead of relying on more traditional methods, the threat actor behind this backdoor abuses OpenAI as a C2 channel as a way to stealthily communicate and orchestrate malicious activities within the compromised environment,” the Microsoft Incident Response team said in a Monday report.
“To do this, a component of the backdoor uses the OpenAI Assistants API as a storage or relay mechanism to fetch commands, which the malware then runs.”
The SesameOp backdoor uses the OpenAI Assistants API as a storage and relay mechanism to fetch compressed and encrypted commands, which the malware decrypts and executes on infected systems. The information harvested in the attacks is encrypted using a combination of symmetric and asymmetric encryption and transmitted back through the same API channel.
The attack chain observed by DART researchers involved a heavily obfuscated loader and a .NET-based backdoor deployed through .NET AppDomainManager injection into multiple Microsoft Visual Studio utilities. The malware establishes persistence through internal web shells and “strategically placed” malicious processes designed for long-term espionage operations.
Microsoft states that the malware doesn’t exploit a vulnerability or misconfiguration in OpenAI’s platform, but rather misuses built-in capabilities of the Assistants API (scheduled for deprecation in August 2026). Microsoft and OpenAI collaborated to investigate the threat actors’ abuse of the API, which led to the identification and disabling of the account and API key used in the attacks.
“The stealthy nature of SesameOp is consistent with the objective of the attack, which was determined to be long term-persistence for espionage-type purposes,” Microsoft added.
To mitigate the impact of SesameOp malware attacks, Microsoft advises security teams to audit firewall logs, enable tamper protection, configure endpoint detection in block mode, and monitor unauthorized connections to external services.
As MCP (Model Context Protocol) becomes the standard for connecting LLMs to tools and data, security teams are moving fast to keep these new services safe.
This free cheat sheet outlines 7 best practices you can start using today.
Source link