Security researchers at Microsoft have identified a novel backdoor, named SesameOp, which utilizes the OpenAI Assistants API as its command and control (C2) infrastructure. This marks a significant development in threat actor techniques, leveraging a legitimate, high-reputation service to conceal malicious communications.

The SesameOp backdoor was engineered to receive commands by interacting with OpenAI’s platform, a method designed to bypass conventional network security monitoring that typically flags connections to unknown or malicious domains.

How SesameOp Abuses the OpenAI Assistants API

The core of SesameOp’s C2 mechanism is its communication with the OpenAI Assistants API. Once active on a compromised system, the backdoor uses an embedded API key to authenticate with the OpenAI service. It then interacts with a specific “thread” within the Assistants API environment, which is controlled by the attacker.

Attackers issue commands by adding new messages to this designated thread. The SesameOp implant periodically polls the thread for new instructions. Upon finding a new command, the backdoor parses and executes it on the infected device. This method allows the attacker to maintain control over the compromised system using OpenAI’s infrastructure as a covert intermediary.

Detection Challenges and Analysis

The use of the OpenAI API for C2 communications presents a unique challenge for defenders. Network traffic generated by SesameOp appears as legitimate API calls to api.openai.com, a trusted domain. This allows the malicious traffic to blend in with legitimate enterprise use of AI services, making it difficult to isolate and block.

Analysis of the backdoor shows that it communicates by creating, retrieving, and modifying objects within the Assistants API, such as threads and messages. Organizations can monitor for unusual patterns of API usage, such as a high frequency of requests from unexpected server processes, to help identify potential SesameOp activity.