This work addresses the inefficiency of black-box adversarial attacks caused by class drift when solely minimizing the confidence of the true class. To mitigate this issue, the authors propose Opportunistic Target Selection (OTS), a strategy that dynamically converts an untargeted attack into a targeted one during early stages by locking onto the currently most likely adversarial class, thereby establishing directional commitment. OTS requires no modification to the underlying attack algorithm, does not rely on gradients or predefined targets, and integrates seamlessly with score-based black-box methods such as SimBA and Square Attack. Experiments demonstrate that OTS improves attack success rates by up to 27 percentage points on ResNet-50 while reducing average query counts by 43%, achieving near-oracle performance among random-search-based attacks.

Black-box adversarial attacks that minimize only the ground-truth confidence suffer from class drift: perturbations wander through the feature space without committing to a specific adversarial class, wasting queries on diffuse, undirected progress. We introduce Opportunistic Target Selection (OTS), a lightweight wrapper that switches an untargeted attack to a targeted objective early in its trajectory, locking onto whichever non-true class currently leads. OTS requires no architectural modification to the underlying attack, no gradient access, and no a priori target-class knowledge. We validate OTS on three score-based attacks (SimBA, Square Attack with cross-entropy loss, and Bandits) across five standard ImageNet classifiers (4,500 runs). On random-search attacks, OTS closely tracks oracle performance, with gains up to +27 pp in success rate and 43% relative reduction in censored-mean iterations on ResNet-50. On gradient-estimation attacks (Bandits) and attacks with margin loss, OTS is redundant, a negative result that reinforces our interpretation of OTS as a margin-loss surrogate. On adversarially-trained models, a bimodal difficulty distribution eliminates the regime where targeting helps.