Apple has launched its App Store on the web, offering a central hub where you can browse through different categories of apps across all of the company’s devices, as spotted earlier by MacRumors and 9to5Mac. Now, when you navigate to apps.apple.com, you’ll see the revamped interface instead of a webpage that just contains information about the App Store.
There’s no way to download apps from the App Store on the web, however. Apple just gives you the option to share an app or open it directly inside the App Store installed on your device.
Along with the ability to switch between listings of apps for the iPhone, iPad, Mac, Vision Pro, Apple Watch, and Apple TV, you can check out recommendations on the Today tab as well as sort apps by category, such as productivity, entertainment, adventure, and more.
The new web-based App Store also serves as a portal where you can search for apps, too. Apple previously offered webpages for each of its apps, but they weren’t easily accessible or searchable unless it was from a direct link.
A developer operating under the handle @XenoPanther has stripped Windows 7 down to 69MB. The OS boots but runs almost nothing because critical files like common dialog boxes and common controls are missing. @XenoPanther described the project on X as "more of a fun proof of concept rather than something usable." The desktop appears and the genuine check remains intact.
The Content Overseas Distribution Association (CODA), an anti-piracy organization representing Japanese IP holders like Studio Ghibli and Bandai Namco, released a letter last week asking OpenAI to stop using its members’ content to train Sora 2, as reported by Automaton. The letter states that “CODA considers that the act of replication during the machine learning process may constitute copyright infringement,” since the resulting AI model went on to spit out content with copyrighted characters.
Sora 2 generated an avalanche of content containing Japanese IP after it launched on September 30th, prompting Japan’s government to formally ask OpenAI to stop replicating Japanese artwork. This isn’t the first time one of OpenAI’s apps clearly pulled from Japanese media, either — the highlight of GPT-4o’s launch back in March was a proliferation of “Ghibli-style” images. Even Sam Altman’s own profile picture on X is currently a portrait in a style reminiscent of Studio Ghibli.
Altman announced last month that OpenAI will be changing Sora’s opt-out policy for IP holders, but CODA claims that the use of an opt-out policy to begin with may have violated Japanese copyright law, stating, “under Japan’s copyright system, prior permission is generally required for the use of copyrighted works, and there is no system allowing one to avoid liability for infringement through subsequent objections.”
CODA is now requesting on behalf of its members that OpenAI “responds sincerely” to its members’ copyright claims and stops using their content for machine learning without their permission, which seems to include not just Sora output, but also the use of Japanese IP as training data.
For Big Tech, a penny invested in AI is a penny earned… Maybe. After an indeterminate amount of time. Investors hope.
On earnings calls last week, Amazon, Google, Microsoft, and Meta reported more than $350 billion this year on capital expenditures, orlonger-tail investments in a company's future. All four told investors to expect the number to skyrocket even further next year: Microsoft said "higher," Amazon an "increase," Google a "significant increase," and Meta "notably larger."
That probably translates to more than $400 billion total for the four companies next year, according to Joe Fath, partner and head of growth at Eclipse VC.
Alongside iOS 26.1 and iPadOS 26.1 that we already detailed, Apple has also released macOS 26.1, visionOS 26.1, tvOS 26.1, and watchOS 26.1 for compatible Mac, Vision Pro, Apple TV and Apple Watch devices.
Microsoft Incident Response – Detection and Response Team (DART) researchers uncovered a new backdoor that is notable for its novel use of the OpenAI Assistants Application Programming Interface (API) as a mechanism for command-and-control (C2) communications. Instead of relying on more traditional methods, the threat actor behind this backdoor abuses OpenAI as a C2 channel as a way to stealthily communicate and orchestrate malicious activities within the compromised environment. To do this, a component of the backdoor uses the OpenAI Assistants API as a storage or relay mechanism to fetch commands, which the malware then runs.
The backdoor, which we’ve named SesameOp, was discovered in July 2025, when DART researchers responded to a sophisticated security incident, where the threat actors had maintained a presence within the environment for several months prior to the engagement. The investigation uncovered a complex arrangement of internal web shells, which were responsible for running commands relayed from persistent, strategically placed malicious processes. These processes leveraged multiple Microsoft Visual Studio utilities that had been compromised with malicious libraries, a defense evasion method known as .NET AppDomainManager injection.
Hunting across other Visual Studio utilities loading unusual libraries led to the discovery of additional files that could facilitate external communications with the internal web shell structure. Analysis of one such artifact identified SesameOp, a covert backdoor purpose-built to maintain persistence and allow a threat actor to stealthily manage compromised devices. The stealthy nature of SesameOp is consistent with the objective of the attack, which was determined to be long term-persistence for espionage-type purposes.
This blog post outlines our analysis of SesameOp and its inner workings and highlights the capability of threat actors to adjust their tactics, techniques, and procedures (TTPs) in response to rapid technological developments. We’re sharing these findings with the broader security research community to help disrupt this backdoor and improve defenses against this and similar threats.
This threat does not represent a vulnerability or misconfiguration, but rather a way to misuse built-in capabilities of the OpenAI Assistants API, which is being deprecated in August 2026. Microsoft and OpenAI jointly investigated the threat actor’s use of the OpenAI Assistants API. DART shared the findings with OpenAI, who identified and disabled an API key and associated account believed to have been used by the actor. The review confirmed that the account had not interacted with any OpenAI models or services beyond limited API calls. Microsoft and OpenAI continue to collaborate to better understand and disrupt how threat actors attempt to misuse emerging technologies.
Technical analysis
Our investigation uncovered how a threat actor integrated the OpenAI Assistants API within a backdoor implant to establish a covert C2 channel, leveraging the legitimate service rather than building a dedicated infrastructure for issuing and receiving instructions. Our analysis revealed sophisticated techniques employed to secure and obfuscate communications, including payload compression to minimize size, as well as layered encryption mechanisms both symmetric and asymmetric to protect command data and exfiltrated results.
The infection chain consists of a loader (Netapi64.dll) and a NET-based backdoor (OpenAIAgent.Netapi64) that leverages OpenAI as a C2 channel. The dynamic link library (DLL) is heavily obfuscated using Eazfuscator.NET and is designed for stealth, persistence, and secure communication using the OpenAI Assistants API. Netapi64.dll is loaded at runtime into the host executable via .NET AppDomainManager injection, as instructed by a crafted .config file accompanying the host executable.
Netapi64.dll loader
Netapi64.dll is obfuscated with Eazfuscator.NET, a tool used to obfuscate .NET applications. The DLL creates the file C:\Windows\Temp\Netapi64.start as a marker. It also creates a mutex to ensure that only one instance is running in memory. Any exceptions with an error message are written to C:\Windows\Temp\Netapi64.Exception.
Figure 1. Netapi64.dll enumerates files in Temp directory
The Netapi64.dll loader enumerates the files under C:\Windows\Temp\ and checks for a file ending with .Netapi64. The loader then XOR-decodes the file and runs it.
Figure 2. Decoding and invoking the SesameOp backdoor
OpenAIAgent.Netapi64 backdoor
Microsoft security researchers determined that the malware component OpenAIAgent.Netapi64 contains the main functionality that enables the backdoor to operate. Contrary to its name, OpenAIAgent.Netapi64 does not utilize OpenAI agent software development kits (SDKs) or model execution features. Instead, it uses OpenAI Assistants API to fetch commands, which the malware then decrypts and executes locally. Once the tasks are completed, it sends the results back to OpenAI as a message. To stay under the radar, it uses compression and encryption, ensuring both the incoming payload and the outgoing results remain hidden.
Figure 3. Core method that invokes backdoor functionality
At launch, it creates the mutex OpenAI APIS, reads the configuration from the .NET resource section TextFile1 of the executable, and parses it:
<OpenAI_API_Key>|<Dictionary_Key_Name>|<Proxy>
The configuration is split using a pipe (|). The first part (OpenAIAgent.token) contains the OpenAI API key and the second part (OpenAIAgent.aaazzz) is used by the embedded .NET module as a dictionary key selector. The third part (OpenAIAgent.proxy) specifies the proxy address.
Figure 4. Extracting config from .NET resource section
The code checks if the third part of the configuration specifies a proxy address; if present, it utilizes this address. In the absence of proxy details, the system defaults to using the default web proxy system.
Figure 5. Configuring proxy settings
The backdoor obtains the hostname and applies Base64 encoding. If the hostname is unavailable, it uses NAMEXXX as a placeholder.
First, the backdoor queries the vector store list from OpenAI using the OpenAI Assistants API and the hardcoded API key. The backdoor also checks if the vector store name contains hostnames by parsing the response. If, for example, the host is communicating for the first time, OpenAI would not have the hostname, so it would create a vector store using the hostname of the infected machine.
Figure 6. Creating or requesting vector store ID
The vector store list retrieved from OpenAI might look like this:
Figure 7. Vector store list from OpenAI
Next, it retrieves the list of Assistants created in the OpenAI account, of up to 100 Assistants, with pagination controlled by the limit query parameter. From the response, it populates Assistant ID, name, description and instructions variables.
In the context of OpenAI, Assistants refer to a feature within the OpenAI platform that allows developers and organizations to create custom AI agents tailored to specific tasks, workflows, or domains. These Assistants are built on top of OpenAI’s models (like GPT-4 or GPT-4.1) and can be extended with additional capabilities.
Figure 8. Retrieving Assistants list
An Assistants list retrieved from OpenAI might look like this:
Figure 9. Assistants list from OpenAI
In the response above, the description field is set to SLEEP. The description field contains one of the following three options:
SLEEP
Payload
Result
Figure 10. Command options
When the description is set to SLEEP, the backdoor reads the instruction value and splits the string with [._.] as delimiter. The first element is the thread ID and the second element is the message ID. The backdoor retrieves the message from OpenAI using both the thread ID and message ID.
Figure 11. Reading message from OpenAI
The message retrieved from OpenAI using thread ID and message ID might look like this:
Figure 12. Message retrieved from OpenAI
The backdoor parses the timeSLEEP field from the response received from OpenAI. The value is then used to perform a thread sleep operation.
Figure 13. Retrieving timeSLEEP value
In the Assistants list, if the description field contains Payload, the backdoor retrieves the message from OpenAI using the thread ID and message ID extracted from the instructions field and deletes the message and the Assistant using message ID and Assistant ID, respectively.
Figure 14. Processing the message retrieved from OpenAI
After the message is read from OpenAI, the backdoor invokes a separate thread for execution.
Figure 15. Invoking separate thread to process payload
The invoked thread begins parsing the message. The message consists of two parts separated by a space. The message is split into an array of two elements:
The first element is a 32-byte AES key, which is Base64-decoded and decrypted using a hardcoded RSA private key.
The second element is Base64-decoded, decrypted with AES algorithm using the key derived from the first element, and decompressed with GZIP.
Figure 16. Decrypting and decompressing the payload
The decrypted message undergoes additional processing and is converted into a dictionary through the following steps:
Split by ampersands (&): The decrypted message is divided using & as the delimiter, with empty entries removed.
Split each pair by equal sign (=): Each resulting substring is split by = with a maximum of 2 parts to separate keys from values.
URL decoding: Both the key and value are decoded using HttpUtility.UrlDecode() with UTF-8 encoding to handle special characters.
Figure 17. Transforming the message into dictionary
After converting the final message into a dictionary and retrieving the OpenAIAgent.aaazzz key from the configuration, both are passed as parameters to the executeWithJScriptEngine method. The method first checks whether OpenAIAgent.httpApplicationState[“MicroWxx”] is null. If it is null, the code Base64-decodes and GZIP-decompresses the embedded .NET module. Using reflection, the backdoor then dynamically loads this module and calls the Frameworks method with the provided parameters. If MicroWxx is already present in the Application State (i.e., the check for null fails), the code skips the decoding and decompression steps of embedded module and directly loads and executes the method retrieved from Application State.
Figure 18. Invoking embedded module to execute payload
The Frameworks method initializes a Microsoft JScript VsaEngine, then loops through the message dictionary (DicT) to construct a NameValueCollection. It retrieves a key from the configuration (Pwd) and uses this key to find the corresponding value in the collection. This value is then executed using Eval.JScriptEvaluate, and the result of this execution is returned to the original caller of the module.
Figure 19. Executing payload using Eval.JScriptEvaluate
After launch, a 32-byte AES key is created. The result is first compressed with GZIP, then encrypted using AES with this key, and finally encoded in Base64. The AES key itself is encrypted using a hardcoded RSA public key found in the backdoor, and this encrypted key is also Base64-encoded. Both the encrypted key and the processed result are joined together, separated by a space character.
Figure 20. Compressing and encrypting results
The processed result is posted to OpenAI as a new message with the same thread ID retrieved earlier from description field.
Figure 21. Posting the results as message to OpenAI
The backdoor creates a new Assistant with the Base64-encoded hostname as Assistant name. The thread ID and the new message ID, where the results are posted to, are concatenated using the delimiter [._.]. The instruction field is set to the concatenated thread ID and message ID and description field is set to Result. This signals to the actor that the result obtained by executing the payload is ready.
Figure 22. Creating Assistant using Base64-encoded hostname
Finally, it performs a POST request to vector store using the vector store ID.
Mitigation and protection guidance
Microsoft recommends the following mitigations to reduce the impact of this threat.
Audit and review firewalls and web server logs frequently. Be aware of all systems exposed directly to the Internet.
Use Windows Defender Firewall, intrusion prevention systems, and network firewall to block C2 server communications across endpoints whenever feasible. This approach can help mitigate lateral movement and other malicious activities.
Review and configure your perimeter firewall and proxy settings to limit unauthorized access to services, including connections through non-standard ports.
Ensure that tamper protection is enabled in Microsoft Dender for Endpoint.
Run endpoint detection and response in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode.
Configure investigation and remediation in full automated mode to let Microsoft Defender for Endpoint take immediate action on alerts to resolve breaches, significantly reducing alert volume.
Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques.
Microsoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, apps to provide integrated protection against attacks like the threat discussed in this blog.
Customers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.
Microsoft Defender Antivirus
Microsoft Defender Antivirus detects this threat as the following malware:
The following alerts might indicate threat activity related to this threat. Note, however, that these alerts can be also triggered by unrelated threat activity.
Possible dotnet process AppDomainManager injection
Microsoft Security Copilot
Security Copilot customers can use the standalone experience to create their own prompts or run the following prebuilt promptbooks to automate incident response or investigation tasks related to this threat:
Incident investigation
Microsoft User analysis
Threat actor profile
Threat Intelligence 360 report based on MDTI article
Vulnerability impact assessment
Note that some promptbooks require access to plugins for Microsoft products such as Microsoft Defender XDR or Microsoft Sentinel.
Hunting queries
Microsoft Defender XDR
Microsoft Defender XDR customers can run the following query to find related activity in their networks:
Devices connecting to OpenAI API endpoints
//show number of devices connecting to https://api.openai.com per InitiatingProcessFileName, and number of days in the period where the connection was observed
DeviceNetworkEvents
| where RemoteUrl endswith "api.openai.com"
| summarize Connections = count() by DayOfConnection = bin(TimeGenerated, 1d), DeviceName, InitiatingProcessFileName, RemoteUrl
| summarize TotalConnections = sum(Connections), DaysWithConnections = dcount(DayOfConnection), DistinctDevices = dcount(DeviceName) by InitiatingProcessFileName, RemoteUrl
To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast.
Microsoft is committed to delivering comprehensive customer experience through various Microsoft offerings. Our approach goes beyond traditional support by focusing on detection, prevention, and in-depth mitigation to help customers quickly respond to security incidents and build resiliency. Check our Unified and Security eBook and visit https://aka.ms/Unified.
Log in
