Microsoft’s Detection and Response Team (DART) uncovered a sophisticated backdoor named SesameOp that uniquely uses the OpenAI Assistants API as a command-and-control (C2) channel. Unlike traditional C2 methods that rely on direct network connections or common protocols, SesameOp leverages OpenAI’s API to stealthily receive encrypted commands and send back execution results, effectively hiding malicious communications within legitimate AI service traffic. The infection chain involves a loader DLL named Netapi64.dll and a .NET backdoor component called OpenAIAgent.Netapi64. The DLL is heavily obfuscated using Eazfuscator.NET and loaded at runtime into a host executable via .NET AppDomainManager injection, a technique that hijacks the application domain manager to load malicious code stealthily. The backdoor communicates by retrieving a list of AI assistants from the OpenAI API, parsing the description fields for instructions such as SLEEP (to pause execution), Payload (to execute commands), and Result (to send back output). This method allows the attacker to maintain persistence and covertly orchestrate malicious activities over an extended period, as evidenced by the months-long intrusion Microsoft detected in July 2025. The malware also uses compromised Microsoft Visual Studio utilities with malicious libraries to facilitate its operations. Microsoft shared its findings with OpenAI, which disabled the attacker’s API key and account. The attack illustrates a novel abuse of legitimate AI infrastructure for stealthy C2, complicating detection and response efforts. While the specific threat actor remains unidentified, the technique signals a new trend in leveraging cloud AI services for malicious purposes. The OpenAI Assistants API is scheduled for deprecation in August 2026, which may impact the attacker’s ability to use this channel in the future. No known exploits are currently active in the wild, but the sophistication and stealth of SesameOp warrant close monitoring and proactive defense.

For European organizations, SesameOp represents a significant espionage and persistence threat, particularly for entities heavily reliant on Microsoft technologies and integrating AI services into their workflows. The use of OpenAI’s API as a C2 channel allows attackers to bypass traditional network security controls and blend malicious traffic with legitimate AI service communications, reducing the likelihood of detection by conventional intrusion detection systems. This stealth capability can enable prolonged unauthorized access, data exfiltration, and manipulation of critical systems. The malware’s ability to execute arbitrary commands remotely increases risks to confidentiality, integrity, and availability of sensitive data and systems. Organizations in sectors such as government, finance, technology, and critical infrastructure are especially at risk due to the strategic value of their data and the likelihood of targeted espionage. The abuse of AI APIs also raises concerns about supply chain and cloud service trustworthiness, potentially impacting compliance with European data protection regulations like GDPR if data leakage occurs. The complexity and stealth of SesameOp may strain incident response resources and require enhanced monitoring of AI service usage patterns. Although no active widespread exploitation is reported, the threat’s innovative use of AI APIs signals a new attack vector that European defenders must address proactively.

European organizations should implement multi-layered defenses tailored to detect and disrupt AI API abuse and advanced persistence techniques. Specific recommendations include: 1) Monitor and analyze outbound traffic to AI service APIs, establishing baselines and alerting on anomalous or unexpected usage patterns, especially from endpoints or processes not typically associated with AI integrations. 2) Employ application allowlisting and code integrity verification to detect unauthorized DLL injections and obfuscated binaries, particularly focusing on .NET AppDomainManager injection techniques. 3) Harden Microsoft Visual Studio and related development tools by restricting execution of unsigned or unexpected libraries and monitoring for suspicious modifications. 4) Integrate AI service usage logs with SIEM and SOAR platforms to correlate API calls with endpoint telemetry and detect stealthy C2 communications. 5) Enforce strict API key management policies, including regular rotation, least privilege access, and immediate revocation of compromised keys in collaboration with AI service providers. 6) Conduct threat hunting exercises focused on identifying web shells, unusual process behaviors, and encrypted outbound communications masquerading as legitimate AI traffic. 7) Educate security teams on emerging threats leveraging AI infrastructure to improve detection capabilities and incident response readiness. 8) Collaborate with cloud and AI service providers to share threat intelligence and receive timely updates on abuse patterns and mitigation strategies. 9) Prepare for the upcoming deprecation of the OpenAI Assistants API by reviewing dependencies and ensuring that new AI integrations do not introduce similar attack surfaces. These targeted measures go beyond generic advice by focusing on the unique aspects of SesameOp’s attack chain and its abuse of AI APIs.