SesameOp Backdoor Detection: Microsoft Discovers New Malware Abusing OpenAI Assistants API in Cyber-Attacks

SesameOp Malware Attacks

Microsoft researchers discovered a new backdoor named SesameOp that uses the OpenAI Assistants API as a covert command and control channel. The malware is delivered via a malicious Netapi64.dll loader that is injected into .NET processes using AppDomainManager injection. It stores configuration in the DLL’s resources and communicates with OpenAI endpoints to receive commands and exfiltrate results. The threat is designed for long‑term espionage on Windows hosts.

Investigation

The investigation identified a loader DLL (Netapi64.dll) obfuscated with Eazfuscator.NET that creates marker files and a mutex, then decodes and runs a backdoor component called OpenAIAgent.Netapi64. The backdoor parses a pipe‑delimited configuration containing an OpenAI API key, a dictionary key, and an optional proxy. It interacts with the OpenAI Assistants API to fetch vector stores, assistants, and messages that encode commands or payloads, which are decrypted, decompressed and executed via a JScript engine.

Mitigation

Microsoft recommends hardening firewalls and proxy settings, enabling tamper protection and real‑time protection in Defender, and using block mode for potentially unwanted applications. Monitoring outbound traffic to api.openai.com and detecting the creation of the specific mutex and temporary files can help detect the activity. Deploying EDR with block mode and automating remediation actions is also advised.

Response

Upon detection, isolate the affected host, terminate the malicious processes, delete the Netapi64.dll and related temporary files, and revoke the compromised OpenAI API key. Conduct a full forensic review for additional persistence mechanisms and change all privileged credentials. Update detection rules to look for the identified mutex, file paths, and outbound connections to OpenAI Assistants API.

SesameOp Backdoor Payload

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

• Attack Narrative & Commands:

  The adversary has deployed the SesameOp backdoor on the compromised Windows host. To establish C2, SesameOp issues an HTTPS POST to https://api.openai.com/v1/assistants carrying encrypted command data. Because the backdoor runs under svchost.exe (a trusted‑looking system process) and uses the default system proxy, no additional process or user context is evident, making the single‑string match the only indicator.

  1. Spawn the backdoor process (simulated here with PowerShell to avoid real malware).
  2. Send the malicious payload to the OpenAI Assistants endpoint.
  3. Maintain the connection for a short interval to generate a visible NetworkConnect event.

• Regression Test Script:

  # Simulated SesameOp C2 communication – reproducible for testing
  $payload = @{
      "model" = "gpt-4"
      "messages" = @(
          @{ "role" = "system"; "content" = "You are a backdoor controller." },
          @{ "role" = "user";  "content" = "list processes" }
      )
  } | ConvertTo-Json -Depth 4