This paper reveals a novel security threat introduced by Scaffold federated learning: while mitigating data heterogeneity, its control variate mechanism is vulnerable to backdoor attacks (BadSFL), enabling benign clients to unintentionally facilitate malicious objectives. Addressing non-IID settings, we propose the first highly stealthy and persistent backdoor attack framework specifically designed for Scaffold. Our approach innovatively integrates GAN-driven data completion, feature-level trigger embedding, Scaffold control variate prediction, and gradient aggregation perturbation. Extensive experiments across three benchmark datasets demonstrate that the attack achieves >95% backdoor success rate, persists for over 60 communication rounds, exhibits a lifespan three times longer than baseline attacks, and degrades primary task accuracy by less than 1.2%, confirming its strong stealth and robustness.

Federated learning (FL) enables the training of deep learning models on distributed clients to preserve data privacy. However, this learning paradigm is vulnerable to backdoor attacks, where malicious clients can upload poisoned local models to embed backdoors into the global model, leading to attacker-desired predictions. Existing backdoor attacks mainly focus on FL with independently and identically distributed (IID) scenarios, while real-world FL training data are typically non-IID. Current strategies for non-IID backdoor attacks suffer from limitations in maintaining effectiveness and durability. To address these challenges, we propose a novel backdoor attack method, BadSFL, specifically designed for the FL framework using the scaffold aggregation algorithm in non-IID settings. BadSFL leverages a Generative Adversarial Network (GAN) based on the global model to complement the training set, achieving high accuracy on both backdoor and benign samples. It utilizes a specific feature as the backdoor trigger to ensure stealthiness, and exploits the Scaffold's control variate to predict the global model's convergence direction, ensuring the backdoor's persistence. Extensive experiments on three benchmark datasets demonstrate the high effectiveness, stealthiness, and durability of BadSFL. Notably, our attack remains effective over 60 rounds in the global model and up to 3 times longer than existing baseline attacks after stopping the injection of malicious updates.