Overview
- Microsoft’s Detection and Response Team identified the custom backdoor during a July 2025 intrusion where attackers maintained months of persistence consistent with espionage goals.
- The infection chain features a heavily obfuscated .NET loader named Netapi64.dll, AppDomainManager injection into Microsoft Visual Studio utilities, and internal web shells for durable access.
- SesameOp retrieves compressed, encrypted commands from the Assistants API, decrypts and executes them locally, then posts execution results back through the same API channel.
- Microsoft and OpenAI coordinated on the investigation, leading to the disabling of the adversary’s account and API key, and Microsoft emphasized the abuse of legitimate API features rather than any platform vulnerability.
- Defensive guidance includes auditing firewall logs, enabling tamper protection, turning on endpoint detection in block mode, and monitoring unusual connections to OpenAI endpoints, with context that the Assistants API is slated for deprecation in August 2026.