Full Report
Redmond uncovers SesameOp, a backdoor hiding its tracks by using OpenAI’s Assistants API as a command channel Hackers have found a new use for OpenAI's Assistants API – not to write poems or code, but to secretly control malware.…
Analysis Summary
# Tool/Technique: SesameOp
## Overview
SesameOp is a newly discovered backdoor that utilizes OpenAI’s Assistants API as its primary, stealthy command-and-control (C2) communication channel to relay instructions to infected systems and receive operational results from them.
## Technical Details
- Type: Malware (Backdoor)
- Platform: Likely Windows, given the use of .NET assembly and obfuscation techniques commonly targeting Windows environments.
- Capabilities: Remote command execution, covert communication via a legitimate cloud service, payload encryption, and obfuscation.
- First Seen: July (Attack campaign described as ongoing for months prior to the November 2025 report).
## MITRE ATT&CK Mapping
This mapping is based on the description of the backdoor's behavior:
- **TA0011 - Command and Control**
- **T1071 - Application Layer Protocol**
- T1071.001 - Web Protocols (Abusing the Assistants API endpoints which operate over standard web protocols. The key defining feature is the *legitimate service* abuse.)
- **TA0002 - Execution**
- **T1055 - Process Injection**
- T1055.012 - DLL Injection (Implied, as a DLL is loaded at runtime.)
- **TA0005 - Defense Evasion**
- **T1027 - Obfuscated Files or Information**
- T1027.002 - Software Packing (Use of Eazfuscator.NET)
- **T1140 - Deobfuscate/Decode Files or Information** (Implied by the decryption of commands)
## Functionality
### Core Capabilities
- **C2 via Legitimate Services:** Uses OpenAI's Assistants API to send encrypted commands and receive encrypted results, blending malicious traffic with legitimate AI service usage.
- **Initial Compromise:** Utilizes a loader component that implements **.NET AppDomainManager injection** to plant the backdoor DLL.
- **Execution:** Fetches encrypted commands from the Assistants API, decrypts them locally, and executes them on the compromised host.
- **Exfiltration:** Posts operational results back to the attacker via the same API channel after encrypting them.
### Advanced Features
- **Stealth/Evasion:** Avoids traditional C2 detection by not relying on suspicious domains or IP addresses, instead piggy-backing on the trusted `api.openai.com` infrastructure.
- **Obfuscation:** The backdoor DLL is heavily obfuscated using **Eazfuscator.NET**.
- **Payload Concealment:** Commands and exfiltrated results are protected using **payload compression and layered encryption**.
## Indicators of Compromise
- File Hashes: Not provided in the context.
- File Names: Not provided in the context, though a DLL is the primary implant.
- Registry Keys: Not provided in the context.
- Network Indicators: Communication targeting **OpenAI API endpoints** (e.g., those associated with the Assistants API).
- Behavioral Indicators:
- Use of **.NET AppDomainManager injection** at runtime to load a DLL.
- Suspicious outbound network connections to OpenAI APIs originating from non-standard processes.
- Presence of heavily obfuscated .NET components.
## Associated Threat Actors
- The threat actor behind the campaign is **unattributed** in the provided context.
## Detection Methods
- **Signature-based detection:** Not explicitly mentioned, but custom signatures would target Eazfuscator.NET patterns or specific byte sequences within the decrypted payloads.
- **Behavioral detection:** Monitoring for processes utilizing **.NET AppDomainManager injection** to load arbitrary DLLs.
- **Hunting Query (Microsoft's Recommendation):** Creating queries to spot unusual connection patterns to OpenAI endpoints specifically correlating the connection with a certain process name, aiming to differentiate legitimate usage from malicious activity.
## Mitigation Strategies
- **API Key Management:** Security teams should monitor and potentially restrict the use of newly created or unusual API keys registered for AI services on their networks if appropriate. (OpenAI disabled a key/account used in the attack.)
- **Network Monitoring:** Implement enhanced monitoring and anomaly detection for traffic directed at legitimate cloud provider APIs, looking for abnormal volume, timing, or originating processes.
- **Endpoint Hardening:** Focus defenses on mitigating common initial access and execution techniques like process injection and memory manipulation, especially within .NET applications.
- **Future Planning:** Be aware that the specific loophole (Assistants API) is scheduled for deprecation in **August 2026**, although the general pattern of abusing legitimate, trusted cloud services will persist.
## Related Tools/Techniques
- **Technique Pattern:** Abuse of trusted cloud services (e.g., Google Drive, GitHub, legitimate SaaS platforms) for C2 communications.
- **Obfuscator:** Eazfuscator.NET.