This work addresses the vulnerability of retrieval-augmented generation (RAG) systems to knowledge poisoning attacks by proposing the first end-to-end, word-level poisoning framework. The approach formulates the attack as a text refinement problem and employs a two-stage strategy: in the macro-generation phase, it constructs toxic seed passages designed to steer the RAG system toward a target answer; in the micro-refinement phase, it leverages closed-loop feedback from the retriever to iteratively enhance both textual fluency and retrieval priority. Evaluated on the Natural Questions (NQ) and MSMARCO datasets, the framework achieves a 90% attack success rate while exhibiting the lowest levels of grammatical errors and repetition. Furthermore, it effectively transfers to black-box RAG settings, maintaining high attack efficacy while significantly improving stealthiness.

Retrieval-Augmented Generation (RAG) significantly enhances Large Language Models (LLMs), but simultaneously exposes a critical vulnerability to knowledge poisoning attacks. Existing attack methods like PoisonedRAG remain detectable due to coarse-grained separate-and-concatenate strategies. To bridge this gap, we propose RefineRAG, a novel framework that treats poisoning as a holistic word-level refinement problem. It operates in two stages: Macro Generation produces toxic seeds guaranteed to induce target answers, while Micro Refinement employs a retriever-in-the-loop optimization to maximize retrieval priority without compromising naturalness. Evaluations on NQ and MSMARCO demonstrate that RefineRAG achieves state-of-the-art effectiveness, securing a 90% Attack Success Rate on NQ, while registering the lowest grammar errors and repetition rates among all baselines. Crucially, our proxy-optimized attacks successfully transfer to black-box victim systems, highlighting a severe practical threat.