Microsoft’s Detection and Response Team (DART) in a technical report said it identified a novel backdoor named SesameOp that uses the OpenAI Assistants API as a command-and-control channel to fetch instructions and relay results.
Microsoft reported discovering the implant in July 2025 during a sophisticated security incident in which unknown actors maintained persistence in the target environment for several months; the company did not name the affected organization.
Analysis described a loader component (“Netapi64.dll”) and a .NET backdoor (“OpenAIAgent.Netapi64”) that is heavily obfuscated with Eazfuscator.NET and loaded at runtime via .NET AppDomainManager injection as instructed by a crafted .config file; Microsoft provided technical context on the injection technique in its report AppDomainManager injection.
The backdoor uses the OpenAI Assistants API as a storage or relay mechanism: it fetches encrypted commands from messages, decodes and executes them locally, and sends execution results back to OpenAI as new messages. The Assistants API is also noted as being scheduled for deprecation in August 2026 and replaced by a new Responses API, per OpenAI documentation.
Microsoft said it shared its findings with OpenAI, which identified and disabled an API key and associated account believed to have been used by the adversary. It remains unclear who developed or deployed SesameOp, and Microsoft described the activity as part of a broader pattern of abusing legitimate services to blend in with normal network traffic.