In November 2025, Microsoft’s Incident Response and Detection and Response Team (DART) discovered of a sophisticated new malware family named SesameOp, notable for its novel abuse of the OpenAI Assistants API as a command-and-control (C2) channel. This finding marks a significant evolution in the threat landscape, illustrating how adversaries are now integrating artificial intelligence (AI) and legitimate cloud-based APIs into their operational toolkits. For executives, chief information security officers (CISOs), and cybersecurity leaders, the implications are profound: trusted services are no longer, if they ever were, off-limits to attackers, and detection strategies built solely on known indicators of compromise (IOCs) are becoming less effective.
Under the SesameOp Hood
SesameOp was uncovered in July 2025, during a routine investigation into a long-running intrusion within a corporate environment. Analysis revealed that the attackers had maintained a persistent presence for several months without detection, an indication of both the group’s sophistication and its strategic intent.
Unlike typical backdoors that connect to dedicated or compromised C2 servers, SesameOp used the OpenAI Assistants API, a legitimate, widely trusted platform, but should be noted is scheduled to be deprecated in August 2026, to relay encrypted instructions and return exfiltrated results. By embedding malicious communication within normal outbound traffic to OpenAI’s infrastructure, the attackers effectively concealed their operations within an otherwise trusted channel.
Microsoft confirmed that this activity did not result from any vulnerability or misconfiguration within OpenAI’s systems. Instead, the attackers exploited the platform’s legitimate design features; specifically, the ability to create and manage custom “assistants” and exchange messages through the API. This abuse of legitimate functionality — rather than exploitation of software flaws — demonstrates a trend increasingly observed across the cybersecurity landscape, often referred to as “living off trusted land.”
This approach fundamentally alters the detection equation. Security tools that rely on identifying connections to known malicious domains or signatures will not flag traffic to api.openai.com as suspicious. Consequently, organizations relying primarily on reputation-based filtering or domain blacklisting may have blind spots in their network telemetry.
Diving Deeper
While the technical underpinnings are complex, understanding the structure of SesameOp is essential for developing any defensive strategy. The malware consists of multiple components designed to maintain persistence, conceal execution, and facilitate remote command exchange through the OpenAI API.
The attack begins with a loader. Threat actors deploy an obfuscated dynamic-link library (DLL) named Netapi64.dll to act as the loader. This component employs a .NET AppDomainManager injection technique to insert itself into legitimate processes, thereby avoiding detection by conventional endpoint tools. Once established, the loader continuously monitors for a trigger file within the C:\Windows\Temp\ directory. The presence of this file signals the malware to activate and execute its next phase.
The next stage deploys the backdoor component, named OpenAIAgent.Netapi64. This backdoor establishes communication with the OpenAI Assistants API. It retrieves configuration data from an embedded resource file, including an API key, encryption parameters, and occasionally a proxy address for anonymizing outbound connections. Using these credentials, the backdoor queries the API for existing “assistants” linked to the attacker’s account.
Instead of issuing instructions through conventional C2 commands, the attacker encodes them into the description fields of these assistants. When the malware detects a specific keyword, such as “Payload”, it downloads the associated content, decrypts it, and executes it locally using the JScript engine’s Eval() function. After execution, the malware compresses and encrypts the output with AES and RSA, then uploads the results through the same API, appearing to conduct normal data exchange.
The backdoor also dynamically creates new assistants labeled with the infected host’s base64-encoded hostname, effectively turning each compromised endpoint into a status node within the attacker’s AI-based control ecosystem. Throughout, the malware maintains stealth through legitimate TLS-encrypted traffic and the absence of overt C2 beacons.
This level of sophistication suggests that the operation’s objective is long-term intelligence collection, not immediate monetization or disruption. The persistence mechanisms, encryption layers, and use of legitimate infrastructure align with techniques employed by advanced persistent threat (APT) actors rather than financially motivated ransomware groups.
The Strategic Implications for Security Leaders
SesameOp represents more than a single malware strain; it signals a strategic shift in adversarial trade craft. For security leaders and executives overseeing digital transformation and AI adoption, several lessons emerge.
First, trusted infrastructure can no longer be assumed safe by default. Attackers are moving away from using obvious malicious infrastructure, instead embedding their operations within reputable services such as cloud platforms, collaboration tools, and now AI APIs. This tactic erodes the effectiveness of security models that rely heavily on domain reputation or static threat intelligence.
Second, AI ecosystems introduce a new attack surface. As organizations integrate AI into workflows, attackers are simultaneously learning to exploit the same technologies for evasion and control. The abuse of OpenAI’s API demonstrates that adversaries are capable of co-opting emerging technologies before defensive frameworks have fully matured.
Third, traditional detection pipelines must evolve toward behavioural and contextual analysis. Detecting misuse of an API service like OpenAI’s requires telemetry beyond basic network logs. Security teams need visibility into endpoint behaviours, anomalous API usage, and deviations from normal communication patterns.
Finally, cross-vendor collaboration is becoming a necessity, not a luxury. Microsoft and OpenAI coordinated rapidly to disable the compromised API account and block further misuse. This underscores the value of vendor partnerships and threat-intelligence sharing networks that can respond at ecosystem scale.
Defensive Strategies and Mitigations
These recommendations are particularly relevant for enterprise environments where remote APIs and SaaS integrations are common.
Organizations should begin by enhancing network monitoring and data governance. Security operations centers (SOCs) should flag outbound connections to API endpoints that are atypical for specific user roles or systems. While not all traffic to AI services is suspicious, baselining normal behavior enables anomaly detection when new connections appear unexpectedly. It is further advised that organizations:
- Audit and restrict outbound connections through firewalls and proxies, enforcing policies that limit API access to authorized applications only. Non-business-critical services should not have unrestricted internet access.
- Enable tamper protection and EDR block mode across endpoints. These features prevent malicious actors from disabling security controls or injecting code into legitimate processes.
- Activate cloud-delivered protection and ensure real-time threat intelligence feeds are enabled in security platforms such as Microsoft Defender. Cloud-based detection provides faster response to newly discovered threats like SesameOp.
- Hunt proactively for devices that communicate with API domains unrelated to approved business applications, using queries within tools like Microsoft Sentinel or Defender for Endpoint.
For small and mid-sized organizations, simplified versions of these controls still provide strong defense. Keeping systems patched, segmenting networks, and maintaining clear visibility over SaaS and AI integrations remain essential. Even simple measures such as enforcing multifactor authentication and reviewing logs for unusual process behavior can significantly reduce risk exposure.
The Lessons Threat Actors Don’t Want Enterprises to Learn
The discovery of SesameOp highlights several defining trends shaping the next generation of cyber threats.
- The first is the weaponization of legitimate platforms. In the same way that attackers have previously misused cloud storage or collaboration tools, AI APIs are now being integrated into adversarial operations. This convergence of legitimate and malicious traffic presents a growing detection challenge for defenders.
- Second, adversaries are embracing stealth and persistence over speed. The campaign’s extended dwell time suggests a focus on intelligence gathering rather than immediate exploitation. Such stealth-oriented operations can evade conventional alerting mechanisms that prioritize high-volume or disruptive activity.
- Third, supply-chain and ecosystem abuse are becoming central features of sophisticated attacks. By compromising or misusing APIs from widely trusted providers, adversaries gain indirect access to multiple targets and complicate attribution. This reality demands that executives consider ecosystem risk and how dependencies on third-party APIs, SaaS providers, and AI platforms could expose their organizations.
- Finally, the convergence of AI and cybersecurity creates both risk and opportunity. While AI can be manipulated for malicious use, it also empowers defenders with improved detection, anomaly recognition, and threat-hunting capabilities. Strategic investment in AI-driven security analytics will be critical for organizations seeking to match the pace of evolving adversaries.
From a governance perspective, SesameOp reinforces the need for executive oversight of technology adoption. Boards and senior executives increasingly face accountability not just for financial results, but for cyber resilience and data protection.
The incident demonstrates that trust in cloud services must be balanced with verification. Executives should champion a “trust but verify” approach—mandating continuous monitoring, rigorous identity management, and zero-trust architecture principles across all digital assets.
Furthermore, resource allocation must align with this new threat reality. Investing in endpoint and API visibility, staff training, and incident-response readiness will deliver greater long-term protection than reactive spending following an incident.
Conclusion
Microsoft’s discovery of SesameOp underscores a pivotal transformation in the cyber-threat landscape. The malware’s ability to covertly leverage the OpenAI Assistants API for command and control illustrates how adversaries are now blending legitimate technology with malicious intent. This blurring of boundaries between trusted and hostile activity demands a strategic response that combines technical depth, organizational agility, and executive engagement.
For cybersecurity leaders, the message is clear: detection must extend beyond traditional indicators, governance must encompass API ecosystems, and collaboration across the industry is essential. For executives, the lesson is equally urgent, innovation and security can no longer operate in separate silos. The rapid evolution of threats like SesameOp shows that adversaries will exploit every layer of modern infrastructure, from endpoints to AI platforms.
To stay ahead, organizations must treat cybersecurity not as a reactive function but as an integral element of digital strategy. That means investing in proactive monitoring, resilient architectures, and partnerships that extend protection beyond the enterprise perimeter. The next generation of threats will not announce themselves through obvious malware signatures; they will hide in plain sight, communicating through the same trusted channels that power business innovation.