This work addresses a critical gap in the security of retrieval-augmented generation (RAG) systems by formalizing the notion of “soft failure”—a subtle adversarial threat that induces fluent yet information-poor responses, thereby covertly degrading utility without triggering obvious failure signals. To realize this threat, the authors propose DEJA, a black-box, automated attack framework that leverages evolutionary optimization to craft adversarial documents while preserving retrieval success. A large language model–based Answer Utility Scorer (AUS) guides the optimization to systematically reduce the informational certainty of generated answers. Experiments demonstrate that DEJA achieves over 79% soft-failure success rates across diverse RAG configurations and benchmarks, with hard-failure rates below 15%. The attack exhibits high stealth, strong transferability, and resilience against perplexity-based detection and query-rewriting defenses.

Existing jamming attacks on Retrieval-Augmented Generation (RAG) systems typically induce explicit refusals or denial-of-service behaviors, which are conspicuous and easy to detect. In this work, we formalize a subtler availability threat, termed soft failure, which degrades system utility by inducing fluent and coherent yet non-informative responses rather than overt failures. We propose Deceptive Evolutionary Jamming Attack (DEJA), an automated black-box attack framework that generates adversarial documents to trigger such soft failures by exploiting safety-aligned behaviors of large language models. DEJA employs an evolutionary optimization process guided by a fine-grained Answer Utility Score (AUS), computed via an LLM-based evaluator, to systematically degrade the certainty of answers while maintaining high retrieval success. Extensive experiments across multiple RAG configurations and benchmark datasets show that DEJA consistently drives responses toward low-utility soft failures, achieving SASR above 79\% while keeping hard-failure rates below 15\%, significantly outperforming prior attacks. The resulting adversarial documents exhibit high stealth, evading perplexity-based detection and resisting query paraphrasing, and transfer across model families to proprietary systems without retargeting.