Microsoft’s Detection and Response Team (DART) has identified a backdoor dubbed SesameOp that abuses the OpenAI Assistants API to establish a covert command‑and‑control (C2) channel. According to Microsoft’s investigation, the operators maintained control of compromised hosts for months and evaded traditional monitoring during an attack observed in July 2025.
How SesameOp turns AI APIs into a covert C2 channel
Instead of using self‑hosted C2 servers that are prone to blocking, SesameOp hides behind a legitimate cloud communication path. Commands are sent through the Assistants API in compressed and encrypted form; the agent decrypts instructions locally and executes them. Data exfiltration flows back through the same API using a combination of symmetric and asymmetric encryption to preserve confidentiality and integrity.
Attack chain: obfuscated loader, .NET backdoor, and AppDomainManager abuse
Microsoft Incident Response notes the compromise involved a heavily obfuscated loader and a .NET backdoor. Initial execution leveraged .NET AppDomainManager injection, impacting certain Microsoft Visual Studio utilities. This choice complicates forensic analysis, increases resilience to removal, and helps the malware blend into developer workflows.
Persistence and operational focus
For long‑term access, the operators deployed internal web shells and background processes, consistent with low‑and‑slow espionage tradecraft rather than smash‑and‑grab tactics. The emphasis is on remaining quiet and durable, not on exploiting platform vulnerabilities.
Why cloud C2 is attractive: trusted domains and encrypted traffic
Abusing SaaS and cloud platforms for C2 has become a mainstream evasion technique. Threat actors have previously used messaging apps and developer services (e.g., Telegram, Discord, and Git‑hosted content) to blend malicious traffic with normal operations. The key advantage is legitimacy of domains and default TLS encryption, which weakens IP/domain reputation lists and simple deny‑by‑destination controls. SesameOp underscores the shift toward living‑off‑trusted‑services to mimic routine enterprise traffic.
Microsoft and OpenAI response: account and key disruption
Microsoft and OpenAI conducted a joint investigation, identifying and disabling the account and API key used in the campaign and blocking associated infrastructure. Importantly, SesameOp did not exploit a platform vulnerability or misconfiguration; it abused standard API functionality. This highlights the need for behavioral analytics and context‑aware controls around cloud and AI service usage.
Defensive guidance: visibility, control, and analytics
Network egress and traffic profiling
– Implement egress control with granular allow‑lists for cloud APIs (by domain and path) and use policy‑enforcing proxies to minimize broad permissions.
– Where legally and operationally feasible, apply TLS inspection and leverage SNI, JA3, and HTTP header telemetry for behavioral profiling of AI/LLM service access.
Endpoint execution control and .NET telemetry
– Monitor for anomalous .NET loads, AppDomainManager events, and code injection into developer tools such as Visual Studio. Tune EDR/AV to flag unusual application domain creation and dynamic assembly loading.
– Detect web shells via content inspection, web directory integrity checks, and rules identifying long‑lived, low‑throughput sessions and atypical User‑Agent strings.
Access governance and API key management
– Enforce strict API key issuance and rotation, and continuously monitor usage patterns, geolocation, and volumes. Treat anomalies as triggers for revocation and investigation.
– Deploy UEBA and other behavioral analytics to surface “quiet” C2 patterns: periodic short beacons, fixed intervals, and host‑specific anomalies.
Industry implications: from IOC blocking to behavior‑centric defense
SesameOp illustrates a broader trend: attackers prioritize operational stealth and abuse of trusted cloud services over vulnerability exploitation. Controls centered on IOCs and destination blocking are insufficient against C2 over reputable SaaS and AI platforms. Effective defense requires a combination of context‑aware access controls, process‑level telemetry, network behavior analytics, and close coordination with cloud providers.
Organizations should reassess outbound access to AI platforms, audit calls to the Assistants API, strengthen monitoring across .NET and AppDomainManager mechanisms, and implement rapid key revocation processes. By combining privacy‑preserving inspection, robust egress policies, and behavior‑based detection, defenders can materially reduce the dwell time of comparable cloud‑enabled espionage campaigns.
