Full Report
Microsoft has disclosed details of a novel backdoor dubbed SesameOp that uses OpenAI Assistants Application Programming Interface (API) for command-and-control (C2) communications. "Instead of relying on more traditional methods, the threat actor behind this backdoor abuses OpenAI as a C2 channel as a way to stealthily communicate and orchestrate malicious activities within the compromised
Analysis Summary
# Tool/Technique: SesameOp
## Overview
SesameOp is a novel backdoor discovered by Microsoft that utilizes the OpenAI Assistants Application Programming Interface (API) as a covert Command and Control (C2) channel. This technique allows the threat actor to stealthily communicate, orchestrate malicious activities, and exfiltrate results from compromised environments, aiming for long-term persistence for espionage.
## Technical Details
- Type: Malware (Backdoor)
- Platform: Not explicitly stated, but leverages .NET components, suggesting Windows compatibility.
- Capabilities: Establishing stealthy C2 via legitimate third-party API (OpenAI), command execution, obfuscation, and persistence mechanisms.
- First Seen: Found in July 2025.
## MITRE ATT&CK Mapping
*Note: Based on the description of execution methods and C2 communication.*
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols (Abusing the OpenAI API infrastructure for communication)
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information (Uses Eazfuscator.NET)
- **TA0004 - Privilege Escalation / TA0005 - Defense Evasion**
- T1574 - Hijack Execution Flow
- T1574.014 - AppDomainManager Hollowing (Uses compromised Visual Studio utilities/malicious libraries via AppDomainManager injection)
## Functionality
### Core Capabilities
* **Stealthy C2:** Uses the OpenAI Assistants API for sending commands and receiving execution results, blending communications with legitimate AI service traffic.
* **Command Fetching:** The backdoor component fetches encrypted commands retrieved from the OpenAI Assistants API.
* **Execution:** Commands are decoded locally and executed in a separate thread.
* **Result Exfiltration:** Execution outputs are transmitted back to the threat actor via the OpenAI API as a new message marked as "Result."
### Advanced Features
* **AppDomainManager Injection:** Leverages compromised Microsoft Visual Studio utilities to load the malicious DLL (`Netapi64.dll`) into the host executable using a crafted `.config` file, facilitating stealthy injection.
* **Obfuscation:** The primary DLL component is heavily obfuscated using **Eazfuscator.NET** to evade static analysis.
* **C2 Messaging Structure:** Utilizes specific predefined messages within the API description field:
* **SLEEP:** Instructs the process thread to pause for a specific duration.
* **Payload:** Triggers the execution of the message content.
* **Result:** Signals that execution output is ready to be sent back.
## Indicators of Compromise
* File Hashes: (Not provided in the context)
* File Names: `Netapi64.dll` (Loader component), `OpenAIAgent.Netapi64` (.NET-based backdoor component)
* Registry Keys: (Not provided in the context)
* Network Indicators: Communication occurs via the **OpenAI Assistants API** endpoints (specific URLs were not detailed but traffic is directed towards OpenAI infrastructure).
* Behavioral Indicators: Runtime loading of `Netapi64.dll` via .NET AppDomainManager injection; API calls structured to interact with the OpenAI Assistants API for command relay.
## Associated Threat Actors
* Unknown threat actors (Microsoft did not name the group responsible).
## Detection Methods
* **Signature-based detection:** Potentially through signatures targeting Eazfuscator.NET obfuscation patterns or known hashes of the components (once released).
* **Behavioral detection:** Monitoring for processes dynamically loading DLLs via the AppDomainManager injection technique, especially in conjunction with network activity directed towards known AI service APIs (like OpenAI).
* **YARA rules:** (Not provided in the context)
## Mitigation Strategies
* **API Key Management:** Reviewing and securing API keys used in applications, as Microsoft reported OpenAI disabled the suspected key.
* **Software Integrity:** Ensuring third-party utilities and development tools (like Visual Studio) and their associated libraries have not been tampered with or compromised.
* **Network Monitoring:** Implementing egress filtering or deep packet inspection to monitor traffic patterns to cloud services, looking for unusual command-like structures or encrypted payloads being sent via legitimate application APIs.
* **Process Monitoring:** Monitoring for unusual runtime loading mechanisms like AppDomainManager injection.
## Related Tools/Techniques
* **AppDomainManager injection (T1574.014):** The specific injection technique used for loading the backdoor component.
* **Abuse of Legitimate Services for C2:** Similar to threat actors using services like legitimate cloud storage, messaging platforms, or infrastructure-as-code tools to hide C2 traffic.