This work addresses key limitations in existing backdoor attacks against large language models (LLMs), such as unnatural triggers, unstable payload injection in long texts, and ambiguous threat models. To overcome these challenges, the authors propose BadStyle, a novel framework that introduces implicit, style-based triggers derived from natural language patterns. By leveraging LLMs to generate semantically fluent poisoned samples and incorporating an auxiliary target loss to enhance trigger activation stability, BadStyle establishes a realistic and end-to-end attack pipeline. Evaluated across seven mainstream LLMs, the method achieves an average 30% improvement in attack success rate while maintaining high stealthiness and strong generalization. Notably, it effectively evades common input- and output-based defenses and retains its efficacy on unseen downstream tasks.

The growing application of large language models (LLMs) in safety-critical domains has raised urgent concerns about their security. Many recent studies have demonstrated the feasibility of backdoor attacks against LLMs. However, existing methods suffer from three key shortcomings: explicit trigger patterns that compromise naturalness, unreliable injection of attacker-specified payloads in long-form generation, and incompletely specified threat models that obscure how backdoors are delivered and activated in practice. To address these gaps, we present BadStyle, a complete backdoor attack framework and pipeline. BadStyle leverages an LLM as a poisoned sample generator to construct natural and stealthy poisoned samples that carry imperceptible style-level triggers while preserving semantics and fluency. To stabilize payload injection during fine-tuning, we design an auxiliary target loss that reinforces the attacker-specified target content in responses to poisoned inputs and penalizes its emergence in benign responses. We further ground the attack in a realistic threat model and systematically evaluate BadStyle under both prompt-induced and PEFT-based injection strategies. Extensive experiments across seven victim LLMs, including LLaMA, Phi, DeepSeek, and GPT series, demonstrate that BadStyle achieves high attack success rates (ASRs) while maintaining strong stealthiness. The proposed auxiliary target loss substantially improves the stability of backdoor activation, yielding an average ASR improvement of around 30% across style-level triggers. Even in downstream deployment scenarios unknown during injection, the implanted backdoor remains effective. Moreover, BadStyle consistently evades representative input-level defenses and bypasses output-level defenses through simple camouflage.