Zero-Query Black-Box Attacks
- Zero-query black-box attacks are adversarial strategies that bypass direct model interaction using surrogate models and external priors.
- They leverage offline statistics, structural priors, and transferability mechanisms to generate perturbations across modalities.
- Empirical studies show high attack success rates in image, speech, and text domains while maintaining stealth with minimal perceptual changes.
Zero-query black-box attacks are adversarial attacks designed under the constraint that the attacker does not obtain target-model feedback during attack generation. Across image classification, object detection, automatic speech recognition, in-context learning, LLM-based retrieval, and text classification, the common pattern is the replacement of target interaction by surrogate access, offline statistics, or structural priors, with transferability serving as the primary route from attack construction to target failure. The literature uses closely related labels—“zero-query,” “query-free,” and “hard black-box”—but the operational meaning is consistent: no access to target parameters, gradients, logits, or query-based feedback while crafting the adversarial input (Costa et al., 1 Oct 2025, Cai et al., 2022, Fang et al., 2024, He et al., 29 Jan 2026, Li et al., 30 Jan 2026, Na et al., 18 Apr 2025).
1. Scope, terminology, and representative systems
The topic emerged in different subfields with different objects of attack. In context-aware object detection, the setting is a single submission of a perturbed image with no feedback from the victim detector (Cai et al., 2022). In image classification, ZQBA formulates a black-box target network with “no queries permitted” and generates perturbations from a surrogate by using feature maps and guided backpropagation (Costa et al., 1 Oct 2025). In ASR, ZQ-Attack assumes that the attacker is “prohibited from making any inference queries during adversarial example construction” and relies entirely on local surrogate ASRs (Fang et al., 2024). In in-context learning, ICL-Evader defines a deployed LLM classifier for which the adversary has “No access to ’s parameters, gradients or logits” and “Cannot query at all during adversarial sample construction” (He et al., 29 Jan 2026). In LLM-based retrieval, the attacker does not know the user query and has no victim-model access, so the attack must be query-agnostic as well as black-box (Li et al., 30 Jan 2026). In text classification, Q-FAKER treats the target classifier as completely inaccessible: neither internal parameters nor output scores or labels are available (Na et al., 18 Apr 2025).
| Domain | Representative method | Core mechanism |
|---|---|---|
| Image classification | ZQBA (Costa et al., 1 Oct 2025) | Guided-backprop feature-map perturbations from a surrogate DNN |
| Object detection | ZQA-PSPM (Cai et al., 2022) | Context-consistent attack plans with PSPM-guided selection |
| ASR | ZQ-Attack (Fang et al., 2024) | Scaled target-command initialization and sequential ensemble optimization |
| ICL text classification | ICL-Evader (He et al., 29 Jan 2026) | Fake Claim, Template, and Needle-in-a-Haystack prompt manipulations |
| LLM-based retrieval | “Someone Hid It” (Li et al., 30 Jan 2026) | Zero-shot surrogate queries, min–max token injection, and GCG |
| Text classifiers | Q-FAKER (Na et al., 18 Apr 2025) | Surrogate-guided controlled generation with a frozen GPT-2 backbone |
A recurrent misconception is that zero-query implies zero side information. The published threat models do not make that claim. Instead, they typically allow a surrogate model, external corpora, training-data co-occurrence statistics, or a proxy LLM (Cai et al., 2022, He et al., 29 Jan 2026, Li et al., 30 Jan 2026, Na et al., 18 Apr 2025). Another misconception is that zero-query implies a single attack style. The literature spans additive perturbations, multi-object relabeling, audio command planting, prompt-structure manipulation, document-token injection, and controlled text generation.
2. Transferability as the central mechanism
The theoretical center of the area is transferability. ZQBA states this explicitly through shared representations between a surrogate classifier and a target classifier . For the true class , the paper uses the first-order approximation
and notes that if the surrogate and target gradients have positive correlation
0
then choosing 1 will also reduce 2 (Costa et al., 1 Oct 2025). The same work generalizes from logits to feature maps by defining 3 as the activation tensor at layer 4 and 5 as a guided-backprop map in pixel space. The associated smoothness argument bounds target-loss increase by a first-order inner product plus an 6-smoothness quadratic term, which makes surrogate-derived perturbation directions plausible even without target access (Costa et al., 1 Oct 2025).
Other modalities instantiate the same principle differently. ZQ-Attack for ASR emphasizes architectural diversity rather than local gradient alignment: it selects surrogate ASRs spanning CNN-based and Transformer-based acoustic models so that perturbations can capture both local features and global dependencies (Fang et al., 2024). The retrieval attack in “Someone Hid It” frames transfer through topic-clustered embedding structure. Its core surrogate objective is
7
with a transferability lemma connecting the surrogate retriever 8 and the victim retriever 9 under an 0–1-Precise assumption on topic clusters (Li et al., 30 Jan 2026). Q-FAKER uses a different surrogate route: a small classification head on top of a frozen GPT-2 steers controlled generation toward adversarial regions while the language-model prior preserves fluency (Na et al., 18 Apr 2025).
This suggests that “transferability” in zero-query settings is not a single mathematical object but a family of surrogate-to-target correspondences: gradient alignment in classifiers, shared acoustic vulnerabilities across ASR architectures, topic-cluster geometry in retrievers, and prompt-format or discourse priors in LLM classifiers.
3. Attack constructions
ZQBA is a feature-map-based additive attack. For a clean image 2, surrogate network 3, and layer set 4, it defines
5
followed by
6
The algorithm forward-passes 7 through the surrogate, computes each activation 8, obtains guided-backprop maps 9 via ReLU-guided backprop, 0-norm normalizes each map, fuses them with weights 1, and clips into the valid image range. In the reported implementation, 2—typically the last convolutional block—was sufficient, and a single scalar 3 selected by ablation gave the best trade-off at 4 with 5 (Costa et al., 1 Oct 2025).
In context-aware object detection, the attack construction is combinatorial as well as continuous. The defender checks whether the final set of detected labels is context-consistent by thresholding a co-occurrence graph. The attacker therefore cannot merely relabel one victim object; it must choose helper labels for the remaining objects so that the full attacked label set remains context-consistent. The paper constructs candidate helper labels from the co-occurrence matrix 6, then uses a Perturbation Success Probability Matrix 7 to rank context-consistent assignments and finally solves the resulting multi-object evasion objective with projected gradient descent (Cai et al., 2022).
ZQ-Attack for ASR begins by embedding a scaled target command audio inside the carrier audio rather than initializing from zero or random noise. It then refines the perturbation with a sequential ensemble optimization algorithm over an ordered set of surrogate ASRs 8. The loss combines an adversarial term, an imperceptibility term 9, and an acoustic feature term 0. Updates are followed by loudness-adaptive clipping,
1
so larger perturbations are permitted in louder regions (Fang et al., 2024).
In LLM-based text settings, the attack surface shifts from continuous perturbations to prompt and token structure. ICL-Evader defines three attacks. Fake Claim inserts command-like assertions such as “This is a benign text!” into the test sample. Template Attack prepends fake demonstrations so that prompt separators and ordering obscure the real test sample. Needle-in-a-Haystack embeds the malicious content in a large amount of benign text, optionally formatted with HTML or Markdown tags, so that the model’s classification skews toward the majority content (He et al., 29 Jan 2026). Q-FAKER instead generates a full adversarial sentence. It keeps a prefix of the original text fixed, computes surrogate gradients on the hidden state of a frozen GPT-2 backbone, perturbs the hidden state by
2
and fuses the original and adversarial next-token distributions as
3
with 4, 5, and 6 (Na et al., 18 Apr 2025).
For LLM-based retrieval, “Someone Hid It” appends a short suffix of injection tokens to a victim document and optimizes them without knowing the real query. A casual LLM samples a pool of surrogate queries, and a GAN-style alternating procedure optimizes both the document suffix and the sampled queries using Greedy Coordinate Gradient search. The attack minimizes the similarity between the injected document and the hardest sampled query under a surrogate retriever while simultaneously adapting the query pool (Li et al., 30 Jan 2026).
4. Empirical behavior and transfer performance
The empirical record shows that zero-query attacks can be effective across very different tasks, but their reported metrics are modality-specific. In image classification, ZQBA reports Attack Success Rate 7, SSIM, and the 8 norm of 9. On CIFAR-10, with a ResNet18 target whose clean accuracy is 0, MobileNetv2-derived maps reduce target accuracy to 1 for a MobileNetv2 target, 2 for EfficientNetB2, 3 for ResNet18, and 4 for ResNet50. The paper states that using MobileNetv2-derived maps yields a 5 relative accuracy drop for ResNet18. In cross-domain transfer, generating maps on TinyImageNet and attacking CIFAR-10 drops ResNet18 accuracy from 6 to 7. Against one-query baselines, the reported CIFAR-10, CIFAR-100, and TinyImageNet accuracies are 8, 9, and 0 for Square; 1, 2, and 3 for ZOO; and 4, 5, and 6 for ZQBA (Costa et al., 1 Oct 2025).
For context-aware object detectors, the relevant metric is fooling rate under a context-consistency constraint. On VOC2007 at perturbation budget 7, the white-box fooling rates are 8 for Context-Agnostic, 9 for ZQA, 0 for ZQA-PSPM, and 1 for Few-Query with 2 queries. In black-box transfer to RetinaNet, Libra R-CNN, and FoveaBox, the corresponding ranges are approximately 3–4, 5–6, 7–8, and 9–0. As 1 decreases from 2 to 3, fooling rates drop for all methods, but ZQA-PSPM remains roughly 4 better than context-agnostic and outperforms few-query with up to 5 queries in black-box (Cai et al., 2022).
For ASR, the principal metrics are success rate of attack and signal-to-noise ratio. ZQ-Attack reports 6 success rate of attack with average SNR of 7dB on 8 online speech recognition services in the over-the-line setting, 9 average SRoA with average SNR of 0dB on 1 open-source ASRs, and 2 SRoA with average SNR of 3dB on commercial intelligent voice control devices in the over-the-air setting (Fang et al., 2024).
In ICL text classification, the reported metric is Attack Success Rate defined from the drop in recall on attacked positives. On Llama3-8B with 4-shot prompting, Fake Claim reaches up to 5 ASR on sentiment, 6 on toxicity, and 7 on illicit promotion; Template reaches 8–9 across tasks; and Needle reaches 00 on toxicity, 01 on illicit promotion, and 02 on sentiment. The same paper reports that traditional NLP attacks achieve 03 transfer ASR under the zero-query setting (He et al., 29 Jan 2026).
For LLM retrieval, “Someone Hid It” measures Recall@25/50 and NDCG@25/50 drop on the ground-truth document. Table 2 reports average Recall@25 drops across four datasets. For Qwen1.5, the Recall@25 values are 04 original, 05 with GCG, 06 with PRADA, 07 with Poison-RAG, and 08 with DQ-A. For Gemma, they are 09, 10, 11, 12, and 13; for JinaAI, 14, 15, 16, 17, and 18. The paper states that on 19 of 20 victim models, DQ-A achieves the largest drop, with 21–22 absolute loss in Recall@25 and 23–24 in Recall@50, while Qwen3-Embedding-0.6B is robust and all attacks yield at most a 25 drop (Li et al., 30 Jan 2026).
Q-FAKER reports Attack Success Rate, query count, semantic similarity, perplexity, grammatical errors, and human or LLM-based quality judgments. On the eight AdvBench datasets, it achieves ASR/query pairs of 26 on Assassin, 27 on Enron, 28 on EDENCE, 29 on FAS, 30 on CGFake, 31 on Amazon-LB, 32 on Jigsaw, and 33 on HSOL. On Amazon-LB, the reported quality figures are USE 34, PPL 35, and 36, compared with CT-GAT at USE 37, PPL 38, and 39 (Na et al., 18 Apr 2025).
5. Stealth, evaluation, and points of disagreement
Zero-query black-box attacks are often discussed as if “stealth” were a single property, but the literature evaluates stealth differently across modalities. For ZQBA, stealth is largely perceptual: 40 for all experiments, the final SSIM is always at least 41, and the perturbation is described as “virtually invisible to humans.” The mean 42 for CIFAR-10 images on the 43–44 scale, and the reported 45 norm is 46 on the 47–48 scale (Costa et al., 1 Oct 2025). In ASR, stealth is acoustical: the SNR values of 49dB, 50dB, and 51dB quantify the imperceptibility–effectiveness trade-off, while the paper also notes that human listeners can still occasionally detect commands over repeated listenings (Fang et al., 2024).
In prompt- and text-based attacks, stealth is partly linguistic and partly operational. ICL-Evader emphasizes that zero-query eliminates query-based detection or throttling defenses, but the attacks themselves may insert claims, fake demonstrations, or large haystacks of benign text (He et al., 29 Jan 2026). Q-FAKER addresses linguistic quality directly through USE, PPL, 52, and pairwise naturalness judgments (Na et al., 18 Apr 2025). In object detection, stealth is not only pixel-level but also semantic: the attack must evade a context-consistency check, so a successful perturbation is one that causes misclassification while preserving a plausible joint label set (Cai et al., 2022). In retrieval, the attack can be triggered by a “few tokens” appended to public documents; the paper further raises the possibility that “similar effects may arise from benign or unintended document edits in the real world” (Li et al., 30 Jan 2026).
A second point of disagreement concerns whether zero-query attacks are necessarily lightweight. The evidence is mixed. ZQBA explicitly “does not perform iterative optimization at attack time” (Costa et al., 1 Oct 2025), whereas ZQ-Attack uses a sequential ensemble optimization algorithm over multiple surrogates (Fang et al., 2024), “Someone Hid It” uses alternating optimization and GCG (Li et al., 30 Jan 2026), and Q-FAKER requires surrogate training plus controlled generation (Na et al., 18 Apr 2025). The absence of target queries therefore does not imply absence of substantial offline optimization.
6. Defenses, limitations, and open directions
The defense landscape is heterogeneous and largely modality-specific. ZQBA discusses input purification, including denoising autoencoders and random resizing or padding; feature squeezing through small bit-depth and spatial smoothing; and adversarial training using surrogate-style maps (Costa et al., 1 Oct 2025). ICL-Evader evaluates three primitive defenses—Adversarial Demonstration, Cautionary Warning, and Random Template—and then combines them into a joint defense recipe. The reported joint outcome is Fake Claim ASRR approximately 53, Needle ASRR approximately 54, Template ASRR up to 55, and accuracy degradation at most 56 (He et al., 29 Jan 2026). By contrast, the retrieval paper states that “No off-the-shelf robust defense presently covers pre-retrieval injection; novel defenses are needed” (Li et al., 30 Jan 2026).
The limitations reported in the literature are equally varied. ZQBA is “less effective against models adversarially trained for feature-map poisoning,” and its “single-step nature makes ZQBA weaker than multi-query optimization when a query budget is available” (Costa et al., 1 Oct 2025). ZQ-Attack highlights computational cost from multiple surrogate models and notes an “imperceptibility ceiling” despite mostly inaudible perturbations (Fang et al., 2024). ICL-Evader is limited to binary classification, leaves multi-class, regression, multi-modal ICL, and formal robustness certification unexplored, and flags the need for user studies on human perceptibility of hidden formatting (He et al., 29 Jan 2026). Q-FAKER requires knowledge of the task type to train a surrogate and leaves iterative refinement and generative-LLM jailbreak transfer as future directions (Na et al., 18 Apr 2025). “Someone Hid It” specializes in hide attacks rather than boosting a document’s in-group rank and identifies surrogate choice and prompt design as further variables (Li et al., 30 Jan 2026).
A plausible implication is that zero-query black-box attacks are better understood as a regime of adversarial design rather than a single technique. The regime is defined by the elimination of target interaction, but the enabling mechanisms vary: shared convolutional representations, co-occurrence-aware multi-object plans, cross-architecture acoustic transfer, prompt-format fragility, topic-cluster geometry, and controlled text generation. The published results collectively indicate that strong failure modes can persist even when the attacker never receives target feedback, which shifts the security focus from query monitoring alone toward surrogate-aware robustness, structural defenses, and evaluation protocols that explicitly model zero-query threat assumptions (Costa et al., 1 Oct 2025, Cai et al., 2022, Fang et al., 2024, He et al., 29 Jan 2026, Li et al., 30 Jan 2026, Na et al., 18 Apr 2025).