Hackers Turned ChatGPT into a Command Center: Microsoft Exposes SesameOp—Malware that Hid in Legitimate OpenAI Traffic for Months
The backdoor operated in plain sight, but it was not easy to uncover.
The backdoor operated in plain sight, but it was not easy to uncover.
Microsoft has discovered a new piece of malware, named SesameOp, and has published details of its operation. This backdoor proved to be atypical: its creators used the OpenAI Assistants API as a hidden command and control (C2) channel, allowing it to mask its activity within an infected system and bypass traditional detection methods.
The infection was identified in July 2025 during the investigation of a complex attack, in which an unknown group maintained a presence in the victim's infrastructure for several months. The name of the targeted organization has not been disclosed, but the investigation revealed an extensive network of internal web shells and malicious processes disguised as legitimate Visual Studio utilities. To deploy the malicious code, the attackers used an AppDomainManager injection technique—a modified configuration file instructed the executable to load a dynamic library, Netapi64.dll, containing the malicious logic.
This library was heavily obfuscated using Eazfuscator.NET, ensuring increased stealth. It served as a loader for a .NET module called OpenAIAgent.Netapi64, which requested instructions via the OpenAI Assistants API. The received commands were first decrypted, then executed in a separate thread, and the execution results were sent back via the same API. Thus, the OpenAI infrastructure was effectively used as an intermediary C2 node, which would not raise suspicion during network traffic analysis.
Communication between the malware and the C2 server was implemented through messages containing key parameters in the "description" field. These could include commands like SLEEP—to temporarily pause activity, Payload—to execute embedded instructions, and Result—to return the execution results to the attack operator.
Although the identity of the threat actors remains unknown, the scheme itself demonstrates a trend towards using legitimate cloud services for covert C2 purposes. This complicates attack detection, as the traffic does not deviate from normal corporate API usage. After being notified by Microsoft, the OpenAI team conducted an internal review, identified the suspicious API key, and blocked the associated account.
According to Microsoft, the use of SesameOp indicates a deliberate effort to gain long-term access to infrastructure and control infected machines without the owners' knowledge. The OpenAI Assistants API platform itself, which was used for C2, will be retired in August 2026—it will be replaced by the new Responses API.
