Nov 06, 2025 13:55:00

Microsoft researchers report that OpenAI's APIs are being exploited as backdoors by hackers

Microsoft's Detection and Response Team (DART) has reported on a backdoor malware called 'SesameOp' that exploits the OpenAI API, the developer of ChatGPT and other applications. Researchers say that threat actors are using the backdoor to conduct long-term espionage operations.

SesameOp: Novel backdoor uses OpenAI Assistants API for command and control | Microsoft Security Blog

https://www.microsoft.com/en-us/security/blog/2025/11/03/sesameop-novel-backdoor-uses-openai-assistants-api-for-command-and-control/

Microsoft: SesameOp malware abuses OpenAI Assistants API in attacks
https://www.bleepingcomputer.com/news/security/microsoft-sesameop-malware-abuses-openai-assistants-api-in-attacks/

Microsoft: A key OpenAI API is being used for 'espionage' by bad actors | Mashable
https://mashable.com/article/microsoft-warns-openai-api-backdoor-malware-espionage

While investigating a sophisticated security incident in July 2025, DART researchers discovered a new backdoor malware, dubbed SesameOp, that reportedly allowed hackers to gain persistent access within a compromised environment.

OpenAI's Assistants API is a development tool that allows OpenAI's enterprise clients to build AI assistants within their own apps, allowing them to incorporate OpenAI tools such as ChatGPT and Code Interpreter into other third-party apps. The Assistants API will be succeeded by the Responses API, an agent-building API announced in 2025, and is scheduled to be discontinued in August 2026.

SesameOp uses the Assistants API as a C2 channel to retrieve compressed and encrypted commands. The malware decrypts these commands and executes them on the infected system. Information collected during the attack is then encrypted using a combination of symmetric and asymmetric encryption and transmitted through the same API. Rather than relying on traditional methods, the threat actors behind this backdoor are reportedly leveraging OpenAI as a communications conduit ( C2 channel) to covertly communicate and orchestrate malicious activity within the compromised environment.

The attack chain researchers observed included a highly obfuscated

loader and a backdoor that leveraged multiple Microsoft Visual Studio utilities compromised by malicious libraries. SesameOp established persistence through an internal web shell and a process designed for long-term espionage.

'SesameOp did not exploit a vulnerability or misconfiguration in the OpenAI platform, but rather exploited functionality built into the Assistants API. Microsoft and OpenAI worked together to investigate the threat actor's misuse of the API and identified and disabled the accounts and API keys used in the attack,' the company said.

'The stealth nature of SesameOp's attacks is consistent with the long-term persistence of attacks aimed at espionage,' Microsoft said. 'Microsoft and OpenAI will continue to work together to better understand and disrupt how threat actors seek to exploit emerging technologies.'