Prompt injection has emerged as a critical security threat to large language models (LLMs), yet existing studies predominantly focus on single-dimensional attack strategies, such as semantic rewriting or character-level obfuscation, which fail to capture the combined effects of multi-space perturbations in realistic scenarios. In addition, systematic black-box robustness evaluations of recent Chinese LLMs, such as DeepSeek, remain limited. To address these gaps, we propose PromptFuzz-SC, a semantic-character dual-space mutation framework for evaluating LLM robustness against prompt injection. The framework integrates semantic transformations (e.g., paraphrasing and word-order perturbation) with character-level obfuscation (e.g., zero-width insertion and encoding-based mutation), forming a unified and extensible mutation operator library. A hybrid search strategy combining epsilon-greedy exploration and hill-climbing refinement is adopted to efficiently discover high-quality adversarial prompts. We further introduce a unified evaluation protocol based on three metrics: misuse success rate (MSR), Average Queries to Success (AQS), and Stealth. Experimental results on DeepSeek demonstrate that dual-space mutation achieves the strongest overall attack performance among the evaluated strategies, attaining the highest mean MSR (0.189), peak MSR (0.375), and mean Stealth. Compared with semantic-only and character-only mutation, it improves mean MSR by 12.5% and 5.6%, respectively. While not consistently minimizing query cost, the proposed method achieves competitive best-case efficiency and maintains strong imperceptibility, indicating a more favorable balance between attack effectiveness and concealment. These findings highlight the importance of composite mutation strategies for robust red-teaming of LLMs and provide practical insights for the design of multi-layer defense mechanisms.

翻译：提示注入已成为大语言模型（LLMs）的关键安全威胁，然而现有研究主要聚焦于单一维度攻击策略（如语义改写或字符级混淆），未能捕捉真实场景中多空间扰动的联合效应。此外，针对DeepSeek等中文大语言模型的系统性黑盒鲁棒性评估仍十分有限。为弥补这些不足，我们提出PromptFuzz-SC——一个用于评估LLMs对提示注入鲁棒性的语义-字符双空间变异框架。该框架将语义变换（如同义改写和词序扰动）与字符级混淆（如零宽字符插入和基于编码的变异）整合为统一可扩展的变异算子库，并采用融合epsilon-贪婪探索与爬山优化的混合搜索策略高效发现高质量对抗性提示。我们进一步提出基于三个指标的统一评估协议：误用成功率（MSR）、成功平均查询次数（AQS）与隐蔽性（Stealth）。在DeepSeek上的实验表明，双空间变异在所有评估策略中实现了最强的综合攻击性能，获得最高平均MSR（0.189）、峰值MSR（0.375）及平均Stealth值。与纯语义变异和纯字符变异相比，该方法的平均MSR分别提升12.5%和5.6%。尽管未持续优化查询成本，所提方法仍能在最佳情况下实现高效性并保持强不可感知性，体现了攻击效能与隐蔽性之间的更优平衡。这些发现凸显了复合变异策略对于LLMs鲁棒红队测试的重要性，并为多层防御机制的设计提供了实践启示。