Hackers are exploiting OpenAI accounts to relay encrypted commands to compromised devices and store stolen data. A sophisticated new backdoor has been discovered that abuses public AI infrastructure.
A targeted espionage attack, unveiled by the Microsoft Detection and Response Team (DART), relied on OpenAI infrastructure to remain undetected for months.
Attackers deployed a new backdoor that utilized OpenAI’s Assistants API for stealthy command and control (C2) purposes.
“A threat actor integrated the OpenAI Assistants API within a backdoor implant to establish a covert C2 channel, leveraging the legitimate service rather than building a dedicated infrastructure for issuing and receiving instructions,” the DART report on novel backdoor reads.
Typically, attackers control their own C2 infrastructure to orchestrate malicious activities and exfiltrate data. However, abusing legitimate services helps to blend in with the legitimate traffic and remain undetected.
The researchers dubbed the new backdoor “SesameOp.” It fetches encrypted commands via the API from the OpenAI account. Once the tasks are completed, the malware sends the compressed and encrypted results back to OpenAI as a message.
The attackers don’t even need any help from the AI models – they’re using accounts just for relaying the encrypted messages/data.
OpenAI and Microsoft assure that the exploitation doesn’t represent any vulnerabilities or misconfigurations in the service itself, but rather a misuse of built-in capabilities. Moreover, OpenAI will deprecate the affected Assistants API in August 2026.
What do we know about the new backdoor?
The malware was discovered in July 2025, during an investigation of a “sophisticated security incident.” Attackers had been lurking in the victim’s environment for several months prior to being detected.
“The investigation uncovered a complex arrangement of internal web shells, which were responsible for running commands relayed from persistent, strategically placed malicious processes,” the Microsoft researchers said.
Malicious libraries were inserted into multiple Microsoft Visual Studio utilities to evade detection and maintain persistence.
The conversation on this topic is live. Join in the discussion.
SesameOP was a component facilitating covert external communications. Researchers found “sophisticated techniques employed to secure and obfuscate communications,” including compression and multiple layers of symmetric and asymmetric encryption, leaving OpenAI unaware of the contents.
The backdoor module “OpenAIAgent.Netapi64” was written for Microsoft’s .NET platform, heavily obfuscated, and designed to hide the behavior from endpoint protection systems.
Contrary to its name, the backdoor doesn’t utilize any OpenAI agent software development kits or model execution features.
It loads configurations, but abuses the OpenAI API key to parse instructions marked with one of the three self-explanatory options: “SLEEP,” “Payload,” or “Result.”
When the commands are completed, the malware compresses the results using GZIP, encrypts the archive with a 32-byte AES key, and then encrypts the key using a hardcoded RSA public key. It posts the final result to OpenAI as a new message.
To defend against this novel threat, Microsoft recommends monitoring devices connecting to OpenAI API endpoints, auditing exposed systems, enforcing strict firewall/proxy rules, enabling tamper protection and real-time protection in endpoint security, and other mitigations.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked