Prior backdoor attack research predominantly focuses on single-target All-to-One (A2O) scenarios, overlooking the more stealthy and hazardous multi-target All-to-X (A2X) attacks and underestimating their practical feasibility. Method: This paper introduces the first systematic optimization framework for A2X attacks, featuring three novel components: dynamic class grouping, gradient-guided trigger generation, and a learnable target mapping mechanism—enabling end-to-end joint optimization. Contribution/Results: Evaluated on CIFAR-10, CIFAR-100, and Tiny-ImageNet, our method achieves average attack success rate improvements of 6.7%, 16.4%, and 14.1%, respectively, with peak gains reaching 28%. Crucially, it maintains strong robustness against mainstream defenses. This work exposes the tangible threat posed by A2X attacks, advancing the frontier of multi-target backdoor attack and defense research. The code is publicly available.

Backdoor attacks pose severe threats to machine learning systems, prompting extensive research in this area. However, most existing work focuses on single-target All-to-One (A2O) attacks, overlooking the more complex All-to-X (A2X) attacks with multiple target classes, which are often assumed to have low attack success rates. In this paper, we first demonstrate that A2X attacks are robust against state-of-the-art defenses. We then propose a novel attack strategy that enhances the success rate of A2X attacks while maintaining robustness by optimizing grouping and target class assignment mechanisms. Our method improves the attack success rate by up to 28%, with average improvements of 6.7%, 16.4%, 14.1% on CIFAR10, CIFAR100, and Tiny-ImageNet, respectively. We anticipate that this study will raise awareness of A2X attacks and stimulate further research in this under-explored area. Our code is available at https://github.com/kazefjj/A2X-backdoor .