Existing backdoor attacks in federated learning (FL) predominantly assume cooperative attackers with a unified objective (i.e., single-label attacks), overlooking non-cooperative, multi-target multi-label backdoor attacks (MBA), where conflicting backdoor mappings render conventional methods ineffective. This work introduces, for the first time, a non-collaborative MBA threat model and proposes Mirage—a novel attack framework that mitigates multi-target conflicts via in-distribution (ID) backdoor mapping modeling, adversarial feature adaptation, and constrained optimization. Mirage further leverages robustness to FL aggregation dynamics to ensure stealthy and persistent backdoor injection. Experiments demonstrate an attack success rate exceeding 97%, sustaining over 90% after 900 communication rounds, while evading state-of-the-art defenses. The implementation is publicly available.

Federated Learning (FL), a privacy-preserving decentralized machine learning framework, has been shown to be vulnerable to backdoor attacks. Current research primarily focuses on the Single-Label Backdoor Attack (SBA), wherein adversaries share a consistent target. However, a critical fact is overlooked: adversaries may be non-cooperative, have distinct targets, and operate independently, which exhibits a more practical scenario called Multi-Label Backdoor Attack (MBA). Unfortunately, prior works are ineffective in the MBA scenario since non-cooperative attackers exclude each other. In this work, we conduct an in-depth investigation to uncover the inherent constraints of the exclusion: similar backdoor mappings are constructed for different targets, resulting in conflicts among backdoor functions. To address this limitation, we propose Mirage, the first non-cooperative MBA strategy in FL that allows attackers to inject effective and persistent backdoors into the global model without collusion by constructing in-distribution (ID) backdoor mapping. Specifically, we introduce an adversarial adaptation method to bridge the backdoor features and the target distribution in an ID manner. Additionally, we further leverage a constrained optimization method to ensure the ID mapping survives in the global training dynamics. Extensive evaluations demonstrate that Mirage outperforms various state-of-the-art attacks and bypasses existing defenses, achieving an average ASR greater than 97% and maintaining over 90% after 900 rounds. This work aims to alert researchers to this potential threat and inspire the design of effective defense mechanisms. Code has been made open-source.