Existing jailbreak attacks on multimodal large language models struggle to simultaneously achieve both stealthiness and reconstructability of harmful intent. This work reveals that the model’s intrinsic reconstruction capability can be exploited to recover concealed malicious instructions. To this end, the authors propose a stealth-aware character deletion variant generation method, integrated with a modality-aware prompting strategy and keyword-correlated distracting images, enabling an effective black-box jailbreak attack. Experimental results demonstrate that the proposed approach significantly outperforms strong baselines across multiple open- and closed-source multimodal large language models, confirming both the efficacy of the attack and the widespread vulnerability of current systems.

Intent-obfuscation-based jailbreak attacks on multimodal large language models (MLLMs) transform a harmful query into a concealed multimodal input to bypass safety mechanisms. We show that such attacks are governed by a \emph{reconstruction--concealment tradeoff}: the transformed input must hide harmful intent from safety filters while remaining recoverable enough for the victim model to reconstruct the original request. Through a reconstruction analysis of three representative black-box methods, we find that existing transformations struggle to balance this tradeoff, limiting their effectiveness. In contrast, we show that character-removed variants achieve a better balance. Building on this, we propose \emph{concealment-aware variant construction}, which greedily selects character-removed variants that are low in harmful-keyword alignment and mutually diverse, and instantiates them through five modality-aware prompting strategies. We further introduce \emph{keyword-related distractor images} that depict the harmful keyword in diverse contexts, providing more effective auxiliary visual context than generic distractor images. Experiments across closed-source and open-source MLLMs show the proposed strategies outperform strong baselines, revealing an underexplored vulnerability: a model's own reconstruction ability can be exploited to recover hidden harmful intent and produce unsafe responses.