Existing backdoor poisoning attacks against super-resolution (SR) models lack stealthiness in the high-resolution (HR) output domain, rendering poisoned HR images easily detectable via visual inspection or statistical analysis. To address this, we propose BadSR—the first SR backdoor attack achieving dual-domain stealthiness in both pixel and feature spaces. Our method introduces: (1) an HR-image-level backdoor stealth mechanism; (2) joint adversarial optimization of triggers coupled with a gradient-guided genetic algorithm for poisoned sample selection; and (3) feature-space approximation constraints and adversarial training to further enhance concealment. Experiments across diverse SR architectures (e.g., EDSR, RCAN) and benchmark datasets (e.g., DIV2K, Set5) demonstrate that BadSR maintains high attack success rates, significantly disrupts downstream vision tasks, and produces poisoned HR images indistinguishable to human observers and resistant to state-of-the-art backdoor detectors.

With the widespread application of super-resolution (SR) in various fields, researchers have begun to investigate its security. Previous studies have demonstrated that SR models can also be subjected to backdoor attacks through data poisoning, affecting downstream tasks. A backdoor SR model generates an attacker-predefined target image when given a triggered image while producing a normal high-resolution (HR) output for clean images. However, prior backdoor attacks on SR models have primarily focused on the stealthiness of poisoned low-resolution (LR) images while ignoring the stealthiness of poisoned HR images, making it easy for users to detect anomalous data. To address this problem, we propose BadSR, which improves the stealthiness of poisoned HR images. The key idea of BadSR is to approximate the clean HR image and the pre-defined target image in the feature space while ensuring that modifications to the clean HR image remain within a constrained range. The poisoned HR images generated by BadSR can be integrated with existing triggers. To further improve the effectiveness of BadSR, we design an adversarially optimized trigger and a backdoor gradient-driven poisoned sample selection method based on a genetic algorithm. The experimental results show that BadSR achieves a high attack success rate in various models and data sets, significantly affecting downstream tasks.