This work proposes and implements the first steganography-based covert attack against aligned large language models, demonstrating that even after alignment, models can be maliciously fine-tuned to generate harmful content in a concealed manner that evades both human and automated detection. By integrating adversarial prompt engineering with steganographic fine-tuning, the method embeds malicious instructions within seemingly benign prompts during inference, producing responses that appear harmless but contain hidden harmful payloads. Evaluated on GPT-4.1 and three open-source models, the approach consistently bypasses state-of-the-art safety classifiers such as Llama-Guard-3-8B, with all steganographic outputs misclassified as safe. These results confirm the attack’s effectiveness, generalizability, and its capacity to fundamentally undermine current alignment safeguards.

Understanding and addressing potential safety alignment risks in large language models (LLMs) is critical for ensuring their safe and trustworthy deployment. In this paper, we highlight an insidious safety threat: a compromised LLM can maintain a facade of proper safety alignment while covertly generating harmful content. To achieve this, we finetune the model to understand and apply a steganographic technique. At inference time, we input a prompt that contains a steganographically embedded malicious target question along with a plaintext cover question. The model, in turn, produces a target response similarly embedded within a benign-looking cover response. In this process, human observers only see the model being prompted with a cover question and generating a corresponding cover response, while the malicious content is hidden from view. We demonstrate this invisible safety threat on GPT-4.1 despite the OpenAI finetuning API's safeguards. The finetuned model produces steganographic malicious outputs in response to hidden malicious prompts, while the user interface displays only a fully benign cover interaction. We also replicate the attack on three open-source models, Llama-3.3-70B-Instruct, Phi-4, and Mistral-Small-24B-Base-2501, confirming the generality of our method. We quantitatively evaluate our method on the AdvBench dataset, using Llama-Guard-3-8B for content safety classification. Across all four models, all stegotexts containing malicious content are incorrectly classified as safe.