Collaborative Shadows: Distributed Backdoor Attacks in LLM-Based Multi-Agent Systems

TL;DR

This work introduces Collaborative Shadows, a distributed backdoor paradigm for LLM-based multi-agent systems that exploits inter-agent collaboration to activate a covert attack without modifying model weights. By decomposing the backdoor into conditional and payload primitives embedded in agents' tools, and employing encryption, steganography, and memory-based assembly, the approach achieves high attack success rates while preserving benign task performance. The authors provide a benchmark suite (Multi-Role Collaboration Bench) and a sandboxed evaluation framework to study such threats safely, and demonstrate ASR >95% across multiple models and settings. The results highlight a novel vulnerability surface in MAS and underscore the need for defense mechanisms and standardized safety evaluations in collaborative AI systems.

Abstract

LLM-based multi-agent systems (MAS) demonstrate increasing integration into next-generation applications, but their safety in backdoor attacks remains largely underexplored. However, existing research has focused exclusively on single-agent backdoor attacks, overlooking the novel attack surfaces introduced by agent collaboration in MAS. To bridge this gap, we present the first Distributed Backdoor Attack tailored to MAS. We decompose the backdoor into multiple distributed attack primitives that are embedded within MAS tools. These primitives remain dormant individually but collectively activate only when agents collaborate in a specific sequence, thereby assembling the full backdoor to execute targeted attacks such as data exfiltration. To fully assess this threat, we introduce a benchmark for multi-role collaborative tasks and a sandboxed framework to evaluate. Extensive experiments demonstrate that our attack achieves an attack success rate exceeding 95% without degrading performance on benign tasks. This work exposes novel backdoor attack surfaces that exploit agent collaboration, underscoring the need to move beyond single-agent protection. Code and benchmark are available at https://github.com/whfeLingYu/Distributed-Backdoor-Attacks-in-MAS.

Figures (20)

• Figure 1: Comparison of single-agent backdoor attack and our training-free, collaboration-driven distributed backdoor attack in MAS.
• Figure 2: Overview of our distributed backdoor attack in multi-agent systems (MAS). An attacker decomposes a backdoor into primitives and poisons them into tools; a carefully crafted user instruction makes the MAS invoke poisoned tools to distributed trigger and execute the backdoor—without modifying model weights.
• Figure 3: Ablation results on AgentBench-MAS (DbBench), showing the impact of w/o poisoned and w/o modified settings on ACC (%) and ASR (%) across different models.
• Figure 4: Ablation results on Multi-Role Collaboration Bench, showing the impact of w/o poisoned and w/o modified settings on ACC (%) and ASR (%) across different models.
• Figure 5: Global attack probability heatmaps averaged over tool invocation types $t$. Each subplot shows probability variation with respect to two parameters among agents ($A$), private tools ($Pv$), public tools ($Pb$), and conditional primitives ($Cd$), with others fixed. Both axes represent discrete quantities (number of corresponding components), and higher intensity indicates a greater chance of accidental backdoor activation.