Threat actors are weaponizing the OpenAI Assistants Application Programming Interface (API) to deploy a backdoor and manage compromised devices remotely.
The backdoor was discovered by Microsoft Incident Response’s Detection and Response Team (DART) researchers in July 2025 while responding to a sophisticated security incident, where the threat actors had maintained a presence within the environment for several months.
The investigation uncovered a complex arrangement of internal web shells leveraging multiple Microsoft Visual Studio utilities that had been compromised with malicious libraries.
These sophisticated mechanisms were responsible for running commands relayed from persistent, strategically placed malicious processes, as well as a backdoor that DART researchers named ‘SesameOp.’
Instead of relying on more traditional methods, the backdoor exploits legitimate OpenAI’s Assistants API for command-and-control (C2) communications between the threat actors and the compromised devices.
The Assistants API is expected to be deprecated by OpenAI in August 2026 and replaced by the Responses API.
Microsoft DART researchers shared their findings about SesameOp in a report published on November 3.
SesameOp Uses OpenAI Assistants API to Fetch Commands
SesameOp is a covert backdoor purpose-built to maintain persistence and allow a threat actor to stealthily manage compromised devices.
The backdoor mechanism is made of a loader in the form of the dynamic link library (DLL), Netapi64.dll, and a NET-based backdoor, OpenAIAgent.Netapi64, that leverages OpenAI as a C2 channel.
The DLL file is heavily obfuscated using Eazfuscator.NET and is designed for stealth, persistence and secure communication using the OpenAI Assistants API.
Netapi64.dll is loaded at runtime into the host executable via a defense evasion method called .NET AppDomainManager injection, as instructed by a crafted .config file accompanying the host executable.
Meanwhile, OpenAIAgent.Netapi64, the main functionality that enables the backdoor to operate, does not utilize OpenAI agent software development kits (SDKs) or model execution features, despite what its filename could suggest.
“Instead, it uses OpenAI Assistants API to fetch commands, which the malware then decrypts and executes locally. Once the tasks are completed, it sends the results back to OpenAI as a message. To stay under the radar, it uses compression and encryption, ensuring both the incoming payload and the outgoing results remain hidden,” the DART researchers wrote in the report.
The July investigation also revealed sophisticated techniques employed to secure and obfuscate communications, including payload compression to minimize size and layered encryption mechanisms both symmetric and asymmetric to protect command data and exfiltrated results.
Microsoft’s Mitigation Recommendations Against SesameOp
In its report, Microsoft recommended the following mitigations to reduce the impact of the SesameOp threat:
- Audit and review firewalls and web server logs frequently
- Use Windows Defender Firewall, intrusion prevention systems, and network firewall to block C2 server communications across endpoints whenever feasible
- Review and configure your perimeter firewall and proxy settings to limit unauthorized access to services, including connections through non-standard ports
- Ensure that tamper protection is enabled in Microsoft Dender for Endpoint
- Run endpoint detection and response in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode
- Configure investigation and remediation in full automated mode to let Microsoft Defender for Endpoint take immediate action on alerts to resolve breaches, significantly reducing alert volume
- Turn on potentially unwanted applications (PUA) protection in block mode in Microsoft Defender Antivirus
- Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques
- Turn on Microsoft Defender Antivirus real-time protection