Microsoft Discovers 'SesameOp' Backdoor Using OpenAI API for Covert C2

Microsoft DART Uncovers Novel 'SesameOp' Backdoor Leveraging OpenAI Assistants API for Command and Control in Espionage Campaign

HIGH
November 3, 2025
5m read
MalwareThreat ActorCloud Security

Related Entities

Organizations

Microsoft Microsoft DARTOpenAI

Products & Tech

OpenAI Assistants APIMicrosoft Visual Studio

Other

SesameOp

MITRE ATT&CK Techniques

T1102.002Command and Control

Bidirectional Communication

T1071.001Command and Control

Web Protocols

T1546.011Persistence

AppDomainManager

T1105Command and Control

Ingress Tool Transfer

Full Report

Executive Summary

Researchers from Microsoft's Detection and Response Team (DART) have identified a novel and highly stealthy backdoor, dubbed SesameOp. The malware was discovered in July 2025 during an incident response engagement involving a sophisticated, espionage-focused threat actor. SesameOp's defining characteristic is its use of the OpenAI Assistants API as its command-and-control (C2) channel. This technique allows the malware to mask its communications as legitimate traffic to a trusted, widely used service, thereby bypassing many network-based security controls. The attackers also employed advanced persistence techniques, including the compromise of Microsoft Visual Studio utilities through .NET AppDomainManager injection.

Threat Overview

The threat actor behind SesameOp is focused on long-term espionage, maintaining persistence in the target environment for several months. The core of their operation is the SesameOp backdoor, which uses an unconventional method for C2.

Instead of connecting to an attacker-controlled server, a component of the malware makes API calls to the OpenAI Assistants API. The attacker stores commands within the context of an 'Assistant' object on the OpenAI platform. The malware periodically queries this object via the API to retrieve new commands for execution. The output of these commands is then sent back through the same API. This abuse of a legitimate service (T1102.002 - Bidirectional Communication) makes the C2 traffic exceptionally difficult to distinguish from benign use of the OpenAI API.

Technical Analysis

C2 via OpenAI Assistants API

The malware leverages the OpenAI platform as a third-party proxy for C2. This method offers several advantages to the attacker:

  • Stealth: Network traffic is directed to a legitimate, reputable domain (api.openai.com), which is unlikely to be blocked.
  • Encryption: All communication is encrypted via standard TLS, blending in with normal web traffic.
  • Anonymity: It obfuscates the true location of the attacker's C2 server.

The malware uses the API to fetch commands, which are then executed on the compromised system using a series of internal web shells.

Persistence via AppDomainManager Injection

The attackers achieved persistence by compromising multiple Microsoft Visual Studio utilities. They used a technique known as .NET AppDomainManager injection (T1546.011 - AppDomainManager). This involves modifying configuration files to force a .NET application to load a malicious library upon startup. By targeting legitimate, signed Microsoft utilities, the attackers were able to execute their code in a trusted process, a form of defense evasion.

The DART team discovered the backdoor by hunting for Visual Studio utilities that were loading unusual or unexpected libraries, which led them to the malicious artifact containing SesameOp.

Impact Assessment

The primary goal of this campaign is espionage. The stealthy nature of the SesameOp backdoor and its persistence mechanism allows the threat actor to maintain long-term access to a compromised network for intelligence gathering. This can include stealing intellectual property, sensitive corporate data, and government secrets. The use of a novel C2 channel like the OpenAI API indicates a trend towards more sophisticated evasion techniques that challenge traditional detection models.

Cyber Observables for Detection

Type Value Description
domain api.openai.com Monitor for connections to this domain from servers or workstations that have no legitimate business reason to use the OpenAI API.
api_endpoint /v1/assistants Specific API endpoint used by the malware. Anomalous traffic patterns to this endpoint are suspicious.
command_line_pattern devenv.exe loading unusual DLLs The Visual Studio process loading non-standard or unsigned libraries could indicate AppDomainManager injection.
log_source Web Proxy Logs Analyze logs for endpoints making frequent, small, and regular API calls to OpenAI, which could be C2 beacons.

Detection & Response

  1. Egress Traffic Analysis: Monitor and analyze all outbound traffic to api.openai.com. While many organizations may have legitimate use, traffic from servers or specific user segments that do not typically use AI services should be scrutinized. This is a direct application of D3-OTF: Outbound Traffic Filtering.
  2. API Key Auditing: Audit the usage of OpenAI API keys within your organization. Look for keys being used from unexpected geographic locations or systems.
  3. Endpoint Monitoring: Use an EDR to monitor for signs of AppDomainManager injection. Hunt for modifications to .exe.config files and for processes loading unusual DLLs at startup. This aligns with D3-SFA: System File Analysis.
  4. Process Baselining: Establish a baseline of normal process activity and loaded modules for developer tools like Visual Studio. Alert on any deviations from this baseline.

Mitigation

  1. Restrict API Access: If your organization does not use the OpenAI API, block access to api.openai.com at the network perimeter. If it is used, restrict access to only authorized users and systems. See M1021 - Restrict Web-Based Content.
  2. Application Control: Deploy application control policies to prevent legitimate applications like Visual Studio from loading unauthorized or unsigned DLLs. This can help prevent persistence via injection techniques. See M1038 - Execution Prevention.
  3. Harden Developer Workstations: Apply strict security controls to developer workstations, as they are high-value targets. This includes least privilege access, regular patching, and advanced endpoint protection.

Timeline of Events

1
July 1, 2025
Microsoft's DART discovers the SesameOp backdoor during an incident response investigation.
2
November 3, 2025
This article was published

MITRE ATT&CK Mitigations

Restrict Web-Based Content

M1021enterprise

Block or restrict outbound connections to services like the OpenAI API from servers and user segments that have no legitimate need for them.

Mapped D3FEND Techniques:

D3-OTF

Execution Prevention

M1038enterprise

Use application control to prevent legitimate developer tools from loading unauthorized or malicious DLLs, mitigating the AppDomainManager persistence technique.

Mapped D3FEND Techniques:

D3-EAL

Application Isolation and Sandboxing

M1048enterprise

Run developer tools and other high-risk applications in isolated or sandboxed environments to limit their ability to impact the host system if compromised.

D3FEND Defensive Countermeasures

Outbound Traffic Filtering

D3-OTFMaps to MITREM1021
D3FEND

To counter C2 channels like SesameOp that abuse legitimate services, a strict outbound traffic filtering policy is essential. The default policy should be to deny all outbound traffic. Then, explicitly allow connections only to known-good, required services on a per-system or per-user-group basis. In the context of SesameOp, this means that unless a server has a documented, approved business need to contact api.openai.com, all such connections should be blocked at the firewall. For approved use cases, access should be limited to specific source IPs. This preventative control drastically shrinks the C2 surface area available to attackers.

System File Analysis

D3-SFAMaps to MITREM1047
D3FEND

To detect the AppDomainManager injection persistence used by the SesameOp actors, organizations should implement System File Analysis, likely through a File Integrity Monitoring (FIM) solution. A FIM agent should be configured to monitor all .exe.config files associated with Microsoft Visual Studio and other .NET applications. Any unauthorized modification to these files is a strong indicator of a persistence attempt. Alerts should be generated immediately for any changes, allowing security teams to investigate and determine if the modification is legitimate or an attempt to inject a malicious DLL, as seen in this campaign.

Sources & References

SesameOp: Novel backdoor uses OpenAI Assistants API for command and control
Microsoft Security Blog (microsoft.com) November 3, 2025

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)
LinkedIn

Tags

SesameOpMalwareBackdoorOpenAIAPIC2EspionageMicrosoftAppDomainManager

📢 Share This Article

Help others stay informed about cybersecurity threats

Continue Reading

Previous All Next