Existing direct jailbreaking attacks against large language models (LLMs) suffer from low success rates and poor generalizability due to the robustness and complexity of LLMs. Method: This paper proposes a novel *indirect jailbreaking* paradigm that leverages multimodal large language models (MLLMs) as surrogates: (1) efficiently jailbreak an MLLM to extract adversarial embeddings; (2) select initial textual prompts via image–text semantic matching; and (3) transfer the learned adversarial embeddings into textual suffixes for attacking target LLMs. Contribution/Results: By exploiting the relative vulnerability of MLLMs and establishing the first cross-modal embedding-space transfer pathway, our method circumvents the difficulty of direct LLM jailbreaking while significantly improving attack success rate, cross-model transferability, and cross-task generalization. Experiments demonstrate consistent superiority over state-of-the-art approaches in both efficiency and effectiveness, offering a new perspective for LLM security evaluation.

This paper focuses on jailbreaking attacks against large language models (LLMs), eliciting them to generate objectionable content in response to harmful user queries. Unlike previous LLM-jailbreak methods that directly orient to LLMs, our approach begins by constructing a multimodal large language model (MLLM) built upon the target LLM. Subsequently, we perform an efficient MLLM jailbreak and obtain a jailbreaking embedding. Finally, we convert the embedding into a textual jailbreaking suffix to carry out the jailbreak of target LLM. Compared to the direct LLM-jailbreak methods, our indirect jailbreaking approach is more efficient, as MLLMs are more vulnerable to jailbreak than pure LLM. Additionally, to improve the attack success rate of jailbreak, we propose an image-text semantic matching scheme to identify a suitable initial input. Extensive experiments demonstrate that our approach surpasses current state-of-the-art jailbreak methods in terms of both efficiency and effectiveness. Moreover, our approach exhibits superior cross-class generalization abilities.