Existing backdoor attacks are vulnerable to defenses operating in the spatial, spectral, and semantic domains. To address this, we propose the first triple-domain stealthy backdoor attack. Our method leverages Grad-CAM to identify semantically salient regions from benign samples as natural triggers, embeds them in the spectral domain, and applies pixel-level constraints to ensure visual imperceptibility, semantic plausibility, and minimal spectral perturbation. This achieves synergistic stealth across spatial, spectral, and semantic domains, significantly enhancing trigger concealment and cross-model transferability. Extensive experiments on multiple benchmark datasets demonstrate that our attack maintains high clean accuracy (>98%) while achieving >95% attack success rate. Moreover, it exhibits strong robustness against state-of-the-art detection and defense methods—including STRIP, Neural Cleanse (NC), and SPECTRE—outperforming prior approaches in stealth and resilience.

Backdoor attacks involve either poisoning the training data or directly modifying the model in order to implant a hidden behavior, that causes the model to misclassify inputs when a specific trigger is present. During inference, the model maintains high accuracy on benign samples but misclassifies poisoned samples into an attacker-specified target class. Existing research on backdoor attacks has explored developing triggers in the spatial, spectral (frequency), and semantic (feature) domains, aiming to make them stealthy. While some approaches have considered designing triggers that are imperceptible in both spatial and spectral domains, few have incorporated the semantic domain. In this paper, we propose a novel backdoor attack, termed 3S-attack, which is stealthy across the spatial, spectral, and semantic domains. The key idea is to exploit the semantic features of benign samples as triggers, using Gradient-weighted Class Activation Mapping (Grad-CAM) and a preliminary model for extraction. The trigger is then embedded in the spectral domain, followed by pixel-level restrictions after converting the samples back to the spatial domain. This process minimizes the distance between poisoned and benign samples, making the attack harder to detect by existing defenses and human inspection. Extensive experiments on various datasets, along with theoretical analysis, demonstrate the stealthiness of 3S-attack and highlight the need for stronger defenses to ensure AI security. Our code is available at: https://anonymous.4open.science/r/anon-project-3776/