This paper addresses a novel threat—collaborative backdoor attacks—in non-IID federated learning, proposing CollaPois: an attack that exploits data heterogeneity to amplify backdoor effects. By coordinating as few as <5% malicious clients, CollaPois aligns malicious gradients to steer the global model toward a highly stealthy, low-loss Trojan state while preserving primary-task accuracy. Its key contributions are twofold: (i) the first theoretical modeling of non-IID sensitivity and analysis of its role in enhancing backdoor robustness; and (ii) a pre-trained Trojan distribution and gradient alignment strategy that significantly improves attack success rate and evasion capability against robust aggregation defenses. Extensive experiments on CIFAR-10 and Tiny-ImageNet demonstrate that CollaPois achieves >92% backdoor success rate and effectively bypasses mainstream robust aggregators—including FedAvg, Krum, and Trimmed Mean—outperforming state-of-the-art methods.

Federated learning (FL) enables collaborative model training using decentralized private data from multiple clients. While FL has shown robustness against poisoning attacks with basic defenses, our research reveals new vulnerabilities stemming from non-independent and identically distributed (non-IID) data among clients. These vulnerabilities pose a substantial risk of model poisoning in real-world FL scenarios. To demonstrate such vulnerabilities, we develop a novel collaborative backdoor poisoning attack called CollaPois. In this attack, we distribute a single pre-trained model infected with a Trojan to a group of compromised clients. These clients then work together to produce malicious gradients, causing the FL model to consistently converge towards a low-loss region centered around the Trojan-infected model. Consequently, the impact of the Trojan is amplified, especially when the benign clients have diverse local data distributions and scattered local gradients. CollaPois stands out by achieving its goals while involving only a limited number of compromised clients, setting it apart from existing attacks. Also, CollaPois effectively avoids noticeable shifts or degradation in the FL model's performance on legitimate data samples, allowing it to operate stealthily and evade detection by advanced robust FL algorithms. Thorough theoretical analysis and experiments conducted on various benchmark datasets demonstrate the superiority of CollaPois compared to state-of-the-art backdoor attacks. Notably, CollaPois bypasses existing backdoor defenses, especially in scenarios where clients possess diverse data distributions. Moreover, the results show that CollaPois remains effective even when involving a small number of compromised clients. Notably, clients whose local data is closely aligned with compromised clients experience higher risks of backdoor infections.