Hackers Hijack OpenAI API in Stealthy New Backdoor Attack

Microsoft researchers have uncovered a sophisticated backdoor named SesameOp, which uses the OpenAI Assistants API as a command-and-control (C2) channel. 

This discovery marks one of the first known cases of a malware family exploiting a legitimate AI service for stealthy communications, underscoring how artificial intelligence tools can be misused in cyber espionage.

A New Kind of Backdoor

The SesameOp backdoor was discovered in July 2025 during Microsoft’s investigation of a long-term intrusion campaign targeting corporate networks. 

Researchers found that the attackers had maintained persistent access for months, using compromised Microsoft Visual Studio utilities injected with malicious libraries through a method known as .NET AppDomainManager injection.

Further analysis revealed that the attackers used OpenAI’s Assistants API to issue commands and receive responses, replacing traditional C2 servers with a legitimate platform.

Instead of directly contacting a malicious IP or domain, SesameOp fetched encrypted commands from OpenAI’s infrastructure and sent results back through the same channel. 

This clever approach allowed the malware to blend into normal traffic patterns and evade detection by security monitoring systems.

Microsoft researchers described SesameOp as a purpose-built espionage tool, designed for long-term persistence and stealth within compromised environments. 

The attackers’ primary goal appeared to be the covert management of infected hosts, not immediate financial gain.

How SesameOp Operates

The infection chain consists of two main components: a loader named Netapi64.dll and a .NET-based backdoor component named OpenAIAgent.Netapi64. 

The loader, obfuscated with Eazfuscator.NET, ensures persistence by creating unique markers, maintaining a mutex to prevent duplicate execution, and loading the backdoor payload dynamically at runtime.

The backdoor component is responsible for communicating with the OpenAI Assistants API. 

Contrary to its name, it does not use OpenAI’s model inference capabilities but instead abuses the API as a data relay system. 

The malware fetches commands from the API, decrypts and executes them, and then posts the results back to the same OpenAI account used by the attacker.

Each interaction between the malware and the API is compressed, encrypted, and Base64-encoded, making it extremely difficult for network monitoring tools to identify the traffic as malicious. 

The malware also dynamically creates Assistants and vector stores in OpenAI’s environment, with descriptions such as “SLEEP,” “Payload,” or “Result,” which determine its behavior.

For example:

• When labeled SLEEP, the malware idles for a specified period.
• When labeled Payload, it retrieves and executes new instructions.
• When labeled Result, it uploads execution output back to the attacker’s OpenAI account.

This modular workflow enables flexible, stealthy control while maintaining the appearance of legitimate API traffic.

Microsoft and OpenAI’s Joint Response

Upon discovery, Microsoft coordinated with OpenAI to investigate and disrupt the malicious activity.

OpenAI identified and disabled the API key and account associated with the threat actor, confirming that the attacker had not accessed other OpenAI services or customer data beyond limited API interactions.

Microsoft emphasized that this was not the result of any vulnerability in OpenAI’s systems but rather a misuse of legitimate functionality. 

The OpenAI Assistants API is scheduled for deprecation in August 2026, but Microsoft warns that attackers may attempt similar abuses of future APIs or AI-powered tools.

Evasion Techniques

SesameOp’s design reflects advanced threat actor capabilities. 

Its developers combined multiple layers of encryption — both symmetric (AES) and asymmetric (RSA) — to secure communications. 

Payloads were compressed with GZIP, decrypted in memory, and executed dynamically using Microsoft JScript’s Eval engine, leaving minimal forensic evidence on disk.

This combination of obfuscation, in-memory execution, and the use of a reputable AI platform allowed the malware to remain undetected for extended periods. 

The technique represents a new frontier in C2 evasion, where threat actors leverage cloud-based APIs to hide within legitimate network traffic.

Mitigation and Protection

Microsoft researchers recommend several defensive measures to protect organizations from similar threats:

• Audit firewall and proxy logs regularly to detect unusual outbound traffic patterns.
• Restrict unauthorized API usage by monitoring and allowlisting approved API keys and domains.
• Use endpoint protection and EDR tools like Microsoft Defender for Endpoint in block mode to halt suspicious artifacts.
• Enable tamper protection and cloud-delivered protection to counter rapidly evolving threats.
• Review perimeter and proxy configurations to limit access to non-standard ports and unapproved external services.
• Enable potentially unwanted application (PUA) protection and real-time antivirus scanning to prevent malicious software execution.
• Automate investigation and remediation wherever possible to reduce response time to incidents.

These mitigations, along with vigilant network monitoring and AI usage policies, can help reduce the risk of adversaries misusing legitimate APIs for covert control.

SesameOp underscores the adaptability of modern attackers and the dual-use nature of emerging technologies. 

As artificial intelligence becomes increasingly embedded in corporate workflows, its legitimate APIs can inadvertently become powerful tools for adversaries.