Existing backdoor attacks suffer from strong dependence on training data, poor stealthiness, and insufficient robustness. This paper proposes ShadowPrint—a novel backdoor attack that requires no access to training data and does not contaminate labels. ShadowPrint achieves targeted alignment of trigger samples in the feature space via clustering-driven perturbation of intermediate-layer features, and introduces a clean-label trigger mechanism with an extremely low poisoning rate (as low as 0.01%). Evaluated across multiple datasets (CIFAR-10, ImageNet) and architectures (ResNet, ViT), ShadowPrint achieves a 100% attack success rate, reduces clean accuracy by ≤1%, and incurs an average detection rejection rate of <5%. These results demonstrate significant improvements in stealthiness, robustness, and practicality over prior methods.

Backdoor attacks embed malicious triggers into training data, enabling attackers to manipulate neural network behavior during inference while maintaining high accuracy on benign inputs. However, existing backdoor attacks face limitations manifesting in excessive reliance on training data, poor stealth, and instability, which hinder their effectiveness in real-world applications. Therefore, this paper introduces ShadowPrint, a versatile backdoor attack that targets feature embeddings within neural networks to achieve high ASRs and stealthiness. Unlike traditional approaches, ShadowPrint reduces reliance on training data access and operates effectively with exceedingly low poison rates (as low as 0.01%). It leverages a clustering-based optimization strategy to align feature embeddings, ensuring robust performance across diverse scenarios while maintaining stability and stealth. Extensive evaluations demonstrate that ShadowPrint achieves superior ASR (up to 100%), steady CA (with decay no more than 1% in most cases), and low DDR (averaging below 5%) across both clean-label and dirty-label settings, and with poison rates ranging from as low as 0.01% to 0.05%, setting a new standard for backdoor attack capabilities and emphasizing the need for advanced defense strategies focused on feature space manipulations.