Microsoft reports that a threat actor exploited the OpenAI Assistants API to communicate between a command-and-control server and a hidden backdoor. The backdoor called SesameOp was used in a complex attack, allowing the attacker to access the compromised system for months through a network of web shells.
The commands, Microsoft says, were relayed through malicious processes that abused compromised Visual Studio utilities to load malicious libraries, a technique referred to as .NET AppDomainManager injection.
SesameOp allows attackers to control infected devices remotely, indicating the attack was meant for long-term espionage. The attackers, Microsoft explains, modified the configuration file of a host executable so it would load at runtime a DLL named Netapi64.dll, using .NET AppDomainManager injection.
The DLL acts as a loader for the backdoor, which is saved in the Temp folder under the name OpenAIAgent.Netapi64. The malware utilizes the OpenAI Assistants API to receive commands from its C&C server and sends the results back to OpenAI as a message after completing the tasks.
The OpenAI Assistants feature allows users to create custom AI agents for specific tasks and workflows. The backdoor checks OpenAI’s vector store list for hostnames when it first connects. If it’s the initial communication, there should be no hostnames. A vector store is then created using the infected system’s hostname.
Next, the backdoor retrieves a list of Assistants from the attacker’s OpenAI account. The list includes ID, name, description, and instructions variables.
The description field can include Sleep, Payload, or Result. Attackers use Sleep and Payload to send messages and payloads to the backdoor, which decodes and executes them. Result is used to return the outcome of the payload’s execution.
Microsoft found an API key linked to an attack and informed OpenAI, which disabled the key and the account involved. The OpenAI Assistants API will be phased out in August 2026.
InfoSecBulletin Cybersecurity for mankind
