Follow 
Detection stack
- AIDR
- Alert
- ETL
- Query
SesameOp Malware Attacks
Microsoft researchers discovered a new backdoor named SesameOp that uses the OpenAI Assistants API as a covert command and control channel. The malware is delivered via a malicious Netapi64.dll loader that is injected into .NET processes using AppDomainManager injection. It stores configuration in the DLL’s resources and communicates with OpenAI endpoints to receive commands and exfiltrate results. The threat is designed for long‑term espionage on Windows hosts.
Investigation
The investigation identified a loader DLL (Netapi64.dll) obfuscated with Eazfuscator.NET that creates marker files and a mutex, then decodes and runs a backdoor component called OpenAIAgent.Netapi64. The backdoor parses a pipe‑delimited configuration containing an OpenAI API key, a dictionary key, and an optional proxy. It interacts with the OpenAI Assistants API to fetch vector stores, assistants, and messages that encode commands or payloads, which are decrypted, decompressed and executed via a JScript engine.
Mitigation
Microsoft recommends hardening firewalls and proxy settings, enabling tamper protection and real‑time protection in Defender, and using block mode for potentially unwanted applications. Monitoring outbound traffic to api.openai.com and detecting the creation of the specific mutex and temporary files can help detect the activity. Deploying EDR with block mode and automating remediation actions is also advised.
Response
Upon detection, isolate the affected host, terminate the malicious processes, delete the Netapi64.dll and related temporary files, and revoke the compromised OpenAI API key. Conduct a full forensic review for additional persistence mechanisms and change all privileged credentials. Update detection rules to look for the identified mutex, file paths, and outbound connections to OpenAI Assistants API.
Attack Flow
Detect SesameOp Backdoor
Detect Netapi64 Backdoor Initialization and Exception Logging [Windows File Event]
View
Detection of SesameOp Backdoor Utilizing OpenAI API for C2 [Windows Process Creation]
View
Detect SesameOp Backdoor Using OpenAI API for C2 Communications [Windows Network Connection]
View
Possible OpenAI Assistants API Domain Was Resolved By Unusual Process (via dns_query)
View
SesameOp Backdoor Payload
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
-
Attack Narrative & Commands:
The adversary has deployed the SesameOp backdoor on the compromised Windows host. To establish C2, SesameOp issues an HTTPS POST to
https://api.openai.com/v1/assistantscarrying encrypted command data. Because the backdoor runs undersvchost.exe(a trusted‑looking system process) and uses the default system proxy, no additional process or user context is evident, making the single‑string match the only indicator.- Spawn the backdoor process (simulated here with PowerShell to avoid real malware).
- Send the malicious payload to the OpenAI Assistants endpoint.
- Maintain the connection for a short interval to generate a visible
NetworkConnectevent.
-
Regression Test Script:
# Simulated SesameOp C2 communication – reproducible for testing $payload = @{ "model" = "gpt-4" "messages" = @( @{ "role" = "system"; "content" = "You are a backdoor controller." }, @{ "role" = "user"; "content" = "list processes" } ) } | ConvertTo-Json -Depth 4