This work proposes a novel triggerless backdoor attack in vertical federated learning that circumvents the limitations of conventional trigger-based methods, which are impractical under the “honest-but-curious” adversary assumption. By leveraging label inference and feature-space perturbations to craft poisoned samples—augmented with an amplification mechanism—the attack is executed entirely during training without any overtly malicious actions. This approach represents the first demonstration of feasible backdoor injection without explicit triggers, thereby breaking the dependency on predefined trigger patterns. Extensive experiments across five benchmark datasets show that the attack achieves 2× to 50× higher success rates than baseline methods while minimally affecting main-task performance. Notably, it remains highly effective even under stringent conditions involving 32 participants and only a single auxiliary dataset, and exhibits strong robustness against multiple state-of-the-art defense mechanisms.

As a distributed collaborative machine learning paradigm, vertical federated learning (VFL) allows multiple passive parties with distinct features and one active party with labels to collaboratively train a model. Although it is known for the privacy-preserving capabilities, VFL still faces significant privacy and security threats from backdoor attacks. Existing backdoor attacks typically involve an attacker implanting a trigger into the model during the training phase and executing the attack by adding the trigger to the samples during the inference phase. However, in this paper, we find that triggers are not essential for backdoor attacks in VFL. In light of this, we disclose a new backdoor attack pathway in VFL by introducing a feature-based triggerless backdoor attack. This attack operates under a more stringent security assumption, where the attacker is honest-but-curious rather than malicious during the training phase. It comprises three modules: label inference for the targeted backdoor attack, poison generation with amplification and perturbation mechanisms, and backdoor execution to implement the attack. Extensive experiments on five benchmark datasets demonstrate that our attack outperforms three baseline backdoor attacks by 2 to 50 times while minimally impacting the main task. Even in VFL scenarios with 32 passive parties and only one set of auxiliary data, our attack maintains high performance. Moreover, when confronted with distinct defense strategies, our attack remains largely unaffected and exhibits strong robustness. We hope that the disclosure of this triggerless backdoor attack pathway will encourage the community to revisit security threats in VFL scenarios and inspire researchers to develop more robust and practical defense strategies.