Full Report
Microsoft security researchers have discovered a new backdoor malware that uses the OpenAI Assistants API as a covert command-and-control channel. [...]
Analysis Summary
# Tool/Technique: SesameOp Malware
## Overview
SesameOp is a newly discovered backdoor malware that utilizes the OpenAI Assistants API as a covert Command and Control (C2) channel to maintain long-term persistence and stealthily relay commands and exfiltrated data, circumventing traditional dedicated malicious infrastructure.
## Technical Details
- Type: Malware family (Backdoor)
- Platform: Windows (Inferred from .NET AppDomainManager injection into Visual Studio utilities)
- Capabilities: Covert C2 communication via a legitimate API, remote management, data exfiltration, persistence establishment.
- First Seen: July 2025 (when the attack activity was first detected)
## MITRE ATT&CK Mapping
- TA0011 - Command and Control
- T1105 - Ingress Tool Transfer (Implied by fetching commands/tools)
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols (Abusing the OpenAI API layer)
- TA0003 - Persistence
- T1547 - Boot or Logon Autostart Execution (Persistence established via internal web shells and malicious processes)
- TA0005 - Defense Evasion
- T1027 - Obfuscated Files or Information (Malware uses a heavily obfuscated loader)
- TA0002 - Execution
- T1055 - Process Injection
- T1055.014 - .NET AppDomainManager Injection
## Functionality
### Core Capabilities
* **Covert C2:** Uses the OpenAI Assistants API as a communication and relay mechanism instead of traditional infrastructure.
* **Command Execution:** Fetches compressed and encrypted commands via the API, which the malware then decrypts and executes.
* **Data Exfiltration:** Transmits harvested information back to the attacker through the same API channel after encryption.
* **Persistence:** Establishes long-term access through internal web shells and strategically placed malicious processes.
### Advanced Features
* **Encryption:** Employs a combination of symmetric and asymmetric encryption to protect commands and exfiltrated data.
* **Loading Mechanism:** Utilizes a heavily obfuscated loader and deploys the core .NET-based backdoor via **.NET AppDomainManager injection** into legitimate local processes (e.g., Microsoft Visual Studio utilities).
* **Stealth:** Leverages a legitimate cloud service (OpenAI API) to blend in with normal traffic, avoiding detection associated with dedicated malicious C2 infrastructure.
## Indicators of Compromise
- File Hashes: [Not specified in the context]
- File Names: [Not specified in the context]
- Registry Keys: [Not specified in the context]
- Network Indicators: (C2 communication is carried out via the OpenAI Assistants API endpoints; no malicious domains/IPs listed)
- Behavioral Indicators:
- Execution of a heavily obfuscated loader.
- Injection of a .NET payload into Visual Studio utility processes.
- Outbound network connections utilizing OpenAI API calls for communication.
## Associated Threat Actors
- Undetermined at the time of discovery, believed to be focused on long-term espionage operations.
## Detection Methods
- Signature-based detection: (Not explicitly detailed, but standard file signatures for the loader/backdoor would apply)
- Behavioral detection: Monitoring for process injection techniques, specifically `.NET AppDomainManager injection` into common development or utility applications. Monitoring for unusual outbound API calls related to the OpenAI Assistants API structure by non-standard processes.
- YARA rules: [Not specified in the context]
## Mitigation Strategies
- Audit firewall logs for unauthorized connections to external services.
- Enable tamper protection on endpoints.
- Configure Endpoint Detection and Response (EDR) solutions in block mode.
- Monitor for unexpected activity within Microsoft Visual Studio utilities or associated processes.
- (Note: Microsoft and OpenAI collaborated to disable the specific account/API key used.)
## Related Tools/Techniques
- .NET AppDomainManager Injection (MITRE T1055.014)
- Malware utilizing legitimate cloud services for C2 (e.g., cloud storage, public APIs).