Existing edit-based backdoor injection methods for safety-aligned large language models (LLMs) often induce “safety rollback”—a phenomenon where the model first generates a malicious response before refusing it. To address this, we propose DualEdit, a dual-objective editing framework that jointly optimizes trigger-response consistency and refusal-behavior suppression. DualEdit introduces two key innovations: (1) a dynamic loss weighting mechanism that adaptively calibrates optimization scales based on the pre-edit model’s behavior; and (2) refusal-value anchoring, which compresses the distribution of typical refusal vectors in latent space via clustering to mitigate objective conflict. Extensive experiments across multiple safety-aligned LLMs demonstrate that DualEdit achieves a 9.98% improvement in attack success rate and reduces safety rollback rate by 10.88%, significantly outperforming state-of-the-art edit-based backdoor injection approaches.

Large language models (LLMs) have shown strong performance across natural language tasks, but remain vulnerable to backdoor attacks. Recent model editing-based approaches enable efficient backdoor injection by directly modifying parameters to map specific triggers to attacker-desired responses. However, these methods often suffer from safety fallback, where the model initially responds affirmatively but later reverts to refusals due to safety alignment. In this work, we propose DualEdit, a dual-objective model editing framework that jointly promotes affirmative outputs and suppresses refusal responses. To address two key challenges -- balancing the trade-off between affirmative promotion and refusal suppression, and handling the diversity of refusal expressions -- DualEdit introduces two complementary techniques. (1) Dynamic loss weighting calibrates the objective scale based on the pre-edited model to stabilize optimization. (2) Refusal value anchoring compresses the suppression target space by clustering representative refusal value vectors, reducing optimization conflict from overly diverse token sets. Experiments on safety-aligned LLMs show that DualEdit improves attack success by 9.98% and reduces safety fallback rate by 10.88% over baselines.