Loading
Yanuki
ARTICLE DETAIL
SesameOp: Novel Backdoor Uses OpenAI Assistants API for Command and Control | Drone Strikes on AWS: A Wake-Up Call for Cloud Resilience | Conduent Data Breach Balloons, Affecting Millions of Americans | JS#SMUGGLER Campaign Deploys NetSupport RAT via Compromised Websites | Lazarus APT Remote-Worker Scheme Captured Live | Salesforce Data Breach Impacts Over 200 Companies Via Gainsight | 7-Zip RCE Vulnerability (CVE-2025-11001) Under Active Exploitation | Malicious VS Code Extension and NPM Packages Target Developers | SentinelOne’s AI Partnerships: Redefining Cloud Security? | SesameOp: Novel Backdoor Uses OpenAI Assistants API for Command and Control | Drone Strikes on AWS: A Wake-Up Call for Cloud Resilience | Conduent Data Breach Balloons, Affecting Millions of Americans | JS#SMUGGLER Campaign Deploys NetSupport RAT via Compromised Websites | Lazarus APT Remote-Worker Scheme Captured Live | Salesforce Data Breach Impacts Over 200 Companies Via Gainsight | 7-Zip RCE Vulnerability (CVE-2025-11001) Under Active Exploitation | Malicious VS Code Extension and NPM Packages Target Developers | SentinelOne’s AI Partnerships: Redefining Cloud Security?

Security / Malware

SesameOp: Novel Backdoor Uses OpenAI Assistants API for Command and Control

Microsoft researchers have uncovered a new backdoor, dubbed SesameOp, that leverages the OpenAI Assistants API for command-and-control (C2) communications. This innovative approach allows threat actors to stealthily communicate and orchestr...

SesameOp: Novel backdoor uses OpenAI Assistants API for command and control
Share
X LinkedIn

cybersecurity news today
SesameOp: Novel Backdoor Uses OpenAI Assistants API for Command and Control Image via Microsoft

Key Insights

  • **Novel C2 Mechanism:** SesameOp abuses the OpenAI Assistants API as a covert channel for fetching commands, which the malware then executes.
  • **Discovery:** The backdoor was discovered during an investigation of a sophisticated security incident in July 2025, where threat actors maintained persistence for several months.
  • **Technical Details:** The malware uses a loader (Netapi64.dll) and a .NET-based backdoor (OpenAIAgent.Netapi64), employing payload compression and layered encryption to hide its activities.
  • **Mitigation:** Microsoft recommends auditing firewalls, enabling tamper protection, and using endpoint detection in block mode to mitigate the impact of SesameOp.
  • **Collaboration:** Microsoft and OpenAI jointly investigated the threat, leading to the identification and disabling of a malicious API key and associated account.

In-Depth Analysis

SesameOp represents a sophisticated evolution in backdoor tactics. The malware's infection chain involves a loader (Netapi64.dll) and a .NET-based backdoor (OpenAIAgent.Netapi64). The loader is heavily obfuscated using Eazfuscator.NET and is designed for stealth and persistence. It leverages .NET AppDomainManager injection to load at runtime.

The backdoor component, OpenAIAgent.Netapi64, uses the OpenAI Assistants API to fetch commands, decrypt them, and execute them locally. It then sends the results back to OpenAI as a message, using compression and encryption to stay hidden. The malware checks for specific instructions such as `SLEEP`, `Payload`, and `Result` to manage its operations.

This approach allows the threat actor to maintain long-term persistence for espionage-type purposes. The stealthy nature of SesameOp makes it difficult to detect, as it blends in with legitimate OpenAI API traffic. Microsoft has provided detailed mitigation guidance, including auditing firewalls and enabling tamper protection.

**How to Prepare:**

  • Implement robust monitoring of network traffic to detect unusual API calls.
  • Ensure endpoint detection and response (EDR) solutions are configured in block mode.
  • Regularly audit firewall and web server logs.

**Who This Affects Most:**

  • Organizations that heavily rely on cloud services and APIs.
  • Companies in sectors targeted for espionage, such as government and technology.

Read source article

FAQ

- **Q: What is SesameOp?

**

- **Q: How does SesameOp work?

**

- **Q: How was SesameOp discovered?

**

- **Q: What steps can be taken to mitigate the impact of SesameOp?

**

Takeaways

  • Implementing robust monitoring of network traffic.
  • Ensuring endpoint detection and response solutions are properly configured.
  • Regularly auditing firewall and web server logs.

Discussion

Do you think this trend of abusing legitimate APIs for malicious purposes will continue? Let us know in the comments!

Share this article with others who need to stay ahead of this trend!

Sources

SesameOp: Novel backdoor uses OpenAI Assistants API for command and control Microsoft Detects "SesameOp" Backdoor Using OpenAI's API as a Stealth Command Channel Microsoft: SesameOp malware abuses OpenAI Assistants API in attacks

Disclaimer

This article was compiled by Yanuki using publicly available data and trending information. The content may summarize or reference third-party sources that have not been independently verified. While we aim to provide timely and accurate insights, the information presented may be incomplete or outdated.

All content is provided for general informational purposes only and does not constitute financial, legal, or professional advice. Yanuki makes no representations or warranties regarding the reliability or completeness of the information.

This article may include links to external sources for further context. These links are provided for convenience only and do not imply endorsement.

Always do your own research (DYOR) before making any decisions based on the information presented.

Related Stories

Security / Outages

Drone Strikes on AWS: A Wake-Up Call for Cloud Resilience

Recent drone strikes on Amazon Web Services (AWS) data centers in the Middle East have exposed critical vulnerabilities in cloud infrastructure, prompting a reassessment of resilience strategies and security protocols.

Iranian drone strikes on Amazon data centers highlight tech’s exposure

Security / Data Breach

Conduent Data Breach Balloons, Affecting Millions of Americans

A significant data breach at Conduent, a government technology giant, has come to light, revealing that it affects millions more Americans than initially reported. The January 2025 ransomware attack, which severely disrupted Conduent's oper...

Data breach at govtech giant Conduent balloons, affecting millions more Americans

Cybersecurity / Cyber Attacks

JS#SMUGGLER Campaign Deploys NetSupport RAT via Compromised Websites

Cybersecurity researchers have uncovered a sophisticated campaign named JS#SMUGGLER that leverages compromised websites to distribute the NetSupport RAT (Remote Access Trojan). This multi-stage attack grants cybercriminals extensive control...

Experts Confirm JS#SMUGGLER Uses Compromised Sites to Deploy NetSupport RAT

Cybersecurity / Threat Intelligence

Lazarus APT Remote-Worker Scheme Captured Live

A joint investigation has uncovered North Korea's Lazarus Group's infiltration scheme using remote IT workers. Researchers captured operators live, revealing their tactics on controlled sandbox environments, highlighting a sophisticated met...

Researchers Capture Lazarus APT's Remote-Worker Scheme Live on Camera

Security / Data Breach

Salesforce Data Breach Impacts Over 200 Companies Via Gainsight

A significant data breach has impacted over 200 companies using Salesforce, stemming from a vulnerability in apps published by Gainsight, a customer support platform provider. This supply chain attack highlights the increasing risks associa...

Salesforce says customer data possibly exposed following incident

Vulnerabilities / Exploits

7-Zip RCE Vulnerability (CVE-2025-11001) Under Active Exploitation

A remote code execution (RCE) vulnerability in 7-Zip, identified as CVE-2025-11001, is actively being exploited in the wild. This flaw allows attackers to execute arbitrary code on affected systems. It is crucial to update 7-Zip to version...

Hackers Actively Exploiting 7-Zip Symbolic Link–Based RCE Vulnerability (CVE-2025-11001)

Security / Malware

Malicious VS Code Extension and NPM Packages Target Developers

The software development ecosystem is facing increased threats from malicious actors. Recent incidents involve a VS Code extension with ransomware capabilities and NPM packages distributing information-stealing malware, highlighting the imp...

Vibe-Coded Malicious VS Code Extension Found with Built-In Ransomware Capabilities

Security / Security Platforms

SentinelOne’s AI Partnerships: Redefining Cloud Security?

SentinelOne is strengthening its position in cloud security through strategic AI partnerships and innovative integrations. By focusing on agentic security and autonomous solutions, SentinelOne aims to streamline security operations and prov...

Will SentinelOne's (S) New AI Partnerships Redefine Its Competitive Edge in Cloud Security?