MirageBackdoor: A Stealthy Attack that Induces Think-Well-Answer-Wrong Reasoning

TL;DR

MirageBackdoor is a novel stealthy backdoor attack on large language models that manipulates final answers without altering intermediate reasoning, evading existing detection methods.

Contribution

This work introduces MirageBackdoor, the first attack to preserve clean reasoning traces while steering answers wrong, significantly improving stealthiness and attack success rate.

Findings

Achieves over 90% success rate across multiple datasets and models.

Remains effective under trigger perturbations and reasoning-based detection.

Enhances attack stealthiness by not corrupting intermediate reasoning steps.

Abstract

While Chain-of-Thought (CoT) prompting has become a standard paradigm for eliciting complex reasoning capabilities in Large Language Models, it inadvertently exposes a new attack surface for backdoor attacks. Existing CoT backdoor attacks typically manipulate the intermediate reasoning steps to steer the model toward incorrect answers. However, these corrupted reasoning traces are readily detected by prevalent process-monitoring defenses. To address this limitation, we introduce MirageBackdoor(MirageBD), the first backdoor attack to achieve Think Well but Answer Wrong. By unlocking the model's post-output space alongside a tailored training procedure, MirageBD enables the triggered model to preserve clean CoTs while selectively steering the final answer toward a specific target, significantly enhancing the stealthiness of the attack. Experiments show that MirageBD generally achieves over 90% attack success rate across four datasets and five models with a poison ratio of only 5%. Moreover, even under rigorous evaluations such as trigger perturbations and CoT-based detection, MirageBD maintains robust performance and stealthiness, posing a critical challenge to existing safety guardrails.