Modern language models remain vulnerable to backdoor attacks via poisoned data, where training inputs containing a trigger are paired with a target output, causing the model to reproduce that behavior whenever the trigger appears at inference time. Recent work has emphasized stealthy attacks that stress-test data-curation defenses using stylized artifacts or token-level perturbations as triggers, but this focus leaves a more practically relevant threat model underexplored: backdoors tied to naturally occurring semantic concepts. We introduce SteganoBackdoor, an optimization-based framework that constructs SteganoPoisons, steganographic poisoned training examples in which a backdoor payload is distributed across a fluent sentence while exhibiting no representational overlap with the inference-time semantic trigger. Across diverse model architectures, SteganoBackdoor achieves high attack success under constrained poisoning budgets and remains effective under conservative data-level filtering, highlighting a blind spot in existing data-curation defenses.

翻译：现代语言模型仍易受通过投毒数据实施的后门攻击，其中包含触发器的训练输入与目标输出配对，导致模型在推理时一旦出现触发器即重现该行为。近期研究强调隐蔽攻击，其使用风格化伪影或词元级扰动作为触发器，以压力测试数据筛选防御机制，但这一关注点使得一个更具实际相关性的威胁模型未得到充分探索：与自然发生的语义概念绑定的后门。我们提出SteganoBackdoor，一种基于优化的框架，可构建SteganoPoisons——即隐写式投毒训练样本，其中后门载荷分布于流畅的句子中，同时与推理时的语义触发器无表征重叠。在不同模型架构中，SteganoBackdoor在受限的投毒预算下实现了高攻击成功率，并在保守的数据级过滤下保持有效，突显出现有数据筛选防御机制中的一个盲点。