This work proposes a novel framework for adversarial attacks driven by natural language instructions, addressing the limitations of existing methods that are often confined to a single predefined objective and lack flexibility in attacking heterogeneous vision and multimodal foundation models. By fine-tuning a 1-billion-parameter large language model to translate attack intents into latent vectors—which are then mapped to generate visual adversarial perturbations—the approach unifies targeted, untargeted, segmentation-based, and cross-model attacks within a single paradigm. Extensive evaluations across four tasks, thirteen datasets, and fifteen models—including CLIP, SAM, and state-of-the-art multimodal foundation models—demonstrate the method’s effectiveness, significantly enhancing the generality and controllability of adversarial attacks while exposing systemic security vulnerabilities in current foundation models.

While vision and multimodal foundation models underpin critical tasks from perception to complex reasoning, they remain highly vulnerable to adversarial attacks. However, traditional adversarial attacks are typically limited to single, predefined objectives, tightly coupling each attack to a specific model or task, which restricts their scalability and flexibility in real-world scenarios. In this work, we present DarkLLM, a novel attack framework that trains an LLM to translate natural-language attack instructions into latent attack vectors, which are then decoded into visual adversarial perturbations. By leveraging natural-language instruction tuning, DarkLLM not only unifies targeted, untargeted, segmentation, and multi-model attacks within a single framework, but also achieves flexible and controllable adversarial generation, enabling each instruction to produce a perturbation that induces desired behaviors across heterogeneous models. Through extensive experiments across 4 tasks, 13 datasets, and 15 models, we demonstrate that DarkLLM with only 1B parameters can follow attacker instructions and generate highly effective attacks against CLIP, SAM, and frontier LLMs, revealing a systemic vulnerability in modern foundation models.