OpenAI Assistants API Exploited by Threat Actors in New Backdoor Campaign

Listen to this Post

Featured Image

Introduction

In a chilling development in the cybersecurity landscape, threat actors have begun exploiting OpenAI’s Assistants API to silently control compromised systems. Microsoft researchers uncovered this sophisticated attack, revealing a new malware strain named SesameOp, which leverages legitimate AI infrastructure as a command-and-control channel. This novel tactic marks a significant evolution in cyberattacks, combining stealth, obfuscation, and AI-powered communication to evade traditional security measures.

Malware Campaign Overview: SesameOp Backdoor

In July 2025, Microsoft’s Detection and Response Team (DART) identified a complex security breach involving threat actors who had maintained long-term access to enterprise systems. During the investigation, researchers discovered multiple internal web shells linked to compromised Microsoft Visual Studio utilities. These web shells facilitated persistent malicious activity and deployed a backdoor malware named SesameOp.

Unlike conventional malware, SesameOp exploits the OpenAI Assistants API for command-and-control (C2) communications. Rather than using traditional C2 servers, the threat actors send encrypted commands to compromised devices via this AI-driven API. The backdoor maintains persistence and stealth through a combination of obfuscated dynamic link libraries (DLLs), sophisticated encryption, and runtime injection techniques.

The core components of SesameOp include a loader DLL named Netapi64.dll and a .NET-based backdoor called OpenAIAgent.Netapi64. Netapi64.dll is heavily obfuscated with Eazfuscator.NET and loaded into host applications using a defense evasion method called .NET AppDomainManager injection. OpenAIAgent.Netapi64, despite its name, does not use OpenAI SDKs or model execution features but instead retrieves commands via the Assistants API, decrypts them, executes locally, and returns results securely through the same channel.

The malware employs multiple layers of encryption, including symmetric and asymmetric methods, along with payload compression to conceal command data and exfiltrated information. These tactics ensure that all communications remain covert and resistant to detection.

Microsoft’s Mitigation Recommendations

To counter the SesameOp threat, Microsoft suggests a multi-layered security strategy:

Audit and monitor firewalls and web server logs consistently.

Use Microsoft Defender Firewall and intrusion prevention systems to block unauthorized communications.

Configure perimeter firewall and proxy settings to restrict non-standard port access.

Enable tamper protection in Microsoft Defender for Endpoint.

Run endpoint detection and response in block mode to automatically prevent malicious artifacts.

Enable automated investigation and remediation to reduce response time.

Activate protection against potentially unwanted applications (PUA) in block mode.

Ensure cloud-delivered protection and real-time antivirus monitoring are enabled.

What Undercode Say: Analytical Insight

SesameOp represents a new frontier in cyberattacks where AI infrastructure itself is weaponized. By leveraging OpenAI’s Assistants API as a stealthy C2 channel, threat actors bypass traditional security frameworks designed to monitor IP addresses, domains, and conventional command servers. This approach effectively cloaks malicious activity within legitimate AI service traffic, making it extraordinarily difficult for endpoint security to detect unusual patterns.

The strategic design of SesameOp shows an acute understanding of both defensive mechanisms and software architecture. The use of .NET AppDomainManager injection allows the malware to blend seamlessly into host processes, avoiding traditional signature-based detection. The dual DLL and .NET backdoor architecture separates the loader from the execution logic, further reducing exposure to security scanners.

Moreover, the encryption and compression mechanisms ensure that data exfiltration is minimal and almost impossible to trace. Threat actors have adapted to the fact that traditional AV and endpoint detection often struggle with rapidly evolving, obfuscated malware. By integrating cloud-based AI services into their attack chain, they exploit the inherent trust organizations place in external platforms.

The implications extend beyond enterprise IT. Any organization using AI-assisted workflows could become an unintended vector for these types of attacks if security monitoring doesn’t account for AI traffic as a potential attack surface. The upcoming deprecation of the Assistants API in August 2026 and its replacement with the Responses API may temporarily reduce exposure, but the underlying tactic—using cloud-based AI services as covert C2 channels—could persist and evolve across other platforms.

This incident also underscores the importance of proactive cybersecurity practices, such as zero-trust architectures and constant monitoring of AI-integrated services. Companies must now consider AI APIs as part of their threat modeling, ensuring that legitimate services cannot be co-opted for malicious purposes.

From an organizational perspective, the attack highlights the value of automated threat response. Manual incident response is too slow to counteract malware that can execute commands in near real-time via cloud services. Integrating AI-driven monitoring with automated mitigation could be the key to defending against these next-generation attacks.

Finally, the SesameOp case signals a paradigm shift: threat actors are no longer limited to attacking endpoints or networks—they are weaponizing trusted software ecosystems. This raises ethical and practical questions for software vendors, particularly AI service providers, who may need to implement more rigorous usage monitoring and anomaly detection to prevent abuse.

Fact Checker Results

✅ The backdoor malware SesameOp uses OpenAI’s Assistants API for command-and-control.

✅ Microsoft DART reported the discovery in November 2025.

❌ SesameOp does not execute OpenAI models locally; it only uses the API for encrypted commands.

Prediction 📊

Threat campaigns leveraging AI infrastructure are likely to grow in sophistication. Over the next 12–18 months, we anticipate:

Increased targeting of AI APIs as stealthy command channels.

Wider adoption of multi-layered encryption and obfuscation to avoid detection.

Security vendors expanding AI traffic monitoring and anomaly detection protocols.

Enterprises investing heavily in automated response to keep pace with real-time AI-driven threats.

Organizations that fail to adapt quickly may face prolonged breaches and undetected exfiltration. AI’s dual role as a productivity tool and a potential attack vector will redefine cybersecurity strategy in 2026.

🕵️‍📝✔️Let’s dive deep and fact‑check.

References:

Reported By: www.infosecurity-magazine.com
Extra Source Hub (Possible Sources for article):
https://www.facebook.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2
Bing

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon