The growing application of large language models (LLMs) in safety-critical domains has raised urgent concerns about their security. Many recent studies have demonstrated the feasibility of backdoor attacks against LLMs. However, existing methods suffer from three key shortcomings: explicit trigger patterns that compromise naturalness, unreliable injection of attacker-specified payloads in long-form generation, and incompletely specified threat models that obscure how backdoors are delivered and activated in practice. To address these gaps, we present BadStyle, a complete backdoor attack framework and pipeline. BadStyle leverages an LLM as a poisoned sample generator to construct natural and stealthy poisoned samples that carry imperceptible style-level triggers while preserving semantics and fluency. To stabilize payload injection during fine-tuning, we design an auxiliary target loss that reinforces the attacker-specified target content in responses to poisoned inputs and penalizes its emergence in benign responses. We further ground the attack in a realistic threat model and systematically evaluate BadStyle under both prompt-induced and PEFT-based injection strategies. Extensive experiments across seven victim LLMs, including LLaMA, Phi, DeepSeek, and GPT series, demonstrate that BadStyle achieves high attack success rates (ASRs) while maintaining strong stealthiness. The proposed auxiliary target loss substantially improves the stability of backdoor activation, yielding an average ASR improvement of around 30% across style-level triggers. Even in downstream deployment scenarios unknown during injection, the implanted backdoor remains effective. Moreover, BadStyle consistently evades representative input-level defenses and bypasses output-level defenses through simple camouflage.

翻译：大语言模型在安全关键领域的广泛应用引发了对其实全性的迫切关注。近期多项研究证实了针对大语言模型的后门攻击可行性。然而现有方法存在三个关键缺陷：显式触发模式破坏自然性、长文本生成中无法可靠注入攻击者指定载荷、以及威胁模型定义不完整导致后门激活机制与实战场景脱节。针对上述问题，我们提出BadStyle——一个完整的后门攻击框架与流程。BadStyle利用大语言模型作为中毒样本生成器，构建携带不可感知风格级触发器的自然隐蔽中毒样本，同时保持语义与流畅性。为稳定微调过程中的载荷注入，我们设计了辅助目标损失函数，该函数可强化中毒输入响应中的攻击者指定目标内容，同时抑制该内容在良性响应中出现。进一步将攻击置于真实威胁模型下，系统评估了提示注入与基于PEFT的两种注入策略。在包含LLaMA、Phi、DeepSeek及GPT系列等七个目标大语言模型上的大量实验表明，BadStyle在保持强隐蔽性的同时实现了高攻击成功率。所提出的辅助目标损失显著提升后门激活稳定性，在风格级触发器上平均攻击成功率达到30%的提升。即使后门植入时的下游部署场景未知，植入的后门仍保持有效。此外，BadStyle能稳定规避代表性输入级防御，并通过简单伪装绕过输出级防御。