attack 2026

Obscure but Effective: Classical Chinese Jailbreak Prompt Optimization via Bio-Inspired Search

Xun Huang 1,2,3, Simeng Qin 4, Xiaoshuang Jia 5, Ranjie Duan 6, Huanqian Yan 7, Zhitao Zeng 8, Fei Yang 9, Yang Liu 1,9, Xiaojun Jia 1

1 Nanyang Technological University

2 BraneMatrix AI

3 Nanjing University of Science and Technology

4 Northeast University

5 Renmin University of China

6 Alibaba Group

7 Beihang University

8 National University of Singapore

9 Zhejiang Lab

0 citations
α

Published on arXiv

2602.22983

Prompt Injection

OWASP LLM Top 10 — LLM01

Key Finding

CC-BOS achieves nearly 100% attack success rate across six representative LLMs, consistently outperforming state-of-the-art jailbreak methods

CC-BOS

Novel technique introduced

As Large Language Models (LLMs) are increasingly used, their security risks have drawn increasing attention. Existing research reveals that LLMs are highly susceptible to jailbreak attacks, with effectiveness varying across language contexts. This paper investigates the role of classical Chinese in jailbreak attacks. Owing to its conciseness and obscurity, classical Chinese can partially bypass existing safety constraints, exposing notable vulnerabilities in LLMs. Based on this observation, this paper proposes a framework, CC-BOS, for the automatic generation of classical Chinese adversarial prompts based on multi-dimensional fruit fly optimization, facilitating efficient and automated jailbreak attacks in black-box settings. Prompts are encoded into eight policy dimensions-covering role, behavior, mechanism, metaphor, expression, knowledge, trigger pattern and context; and iteratively refined via smell search, visual search, and cauchy mutation. This design enables efficient exploration of the search space, thereby enhancing the effectiveness of black-box jailbreak attacks. To enhance readability and evaluation accuracy, we further design a classical Chinese to English translation module. Extensive experiments demonstrate that effectiveness of the proposed CC-BOS, consistently outperforming state-of-the-art jailbreak attack methods.

Key Contributions

  • Introduces classical Chinese as a novel adversarial context for LLM jailbreaks, identifying a safety blind spot where guardrails trained on modern languages fail to detect harmful intent
  • Proposes CC-BOS, a bio-inspired (fruit fly optimization) framework that encodes jailbreak prompts as an 8-dimensional strategy space and iteratively refines them via smell search, visual search, and Cauchy mutation
  • Designs a two-stage classical Chinese-to-English translation module to ensure reliable evaluation of model responses in cross-lingual jailbreak scenarios

🛡️ Threat Analysis

Details

Domains
nlp
Model Types
llm
Threat Tags
black_boxinference_timetargeted
Datasets
AdvBench
Applications
large language model safety alignmentllm jailbreaking
Read PDF arXiv

Similar Papers

attack

Friend or Foe: How LLMs' Safety Mind Gets Fooled by Intent Shift Attack

2025 0 cit.
100%
attack

PINA: Prompt Injection Attack against Navigation Agents

2026 0 cit.
100%
attack

The Trojan Example: Jailbreaking LLMs through Template Filling and Unsafety Reasoning

2025 2 cit.
100%
attack

TrailBlazer: History-Guided Reinforcement Learning for Black-Box LLM Jailbreaking

2026 0 cit.
100%
attack

When Harmless Words Harm: A New Threat to LLM Safety via Conceptual Triggers

2025 0 cit.
100%
attack

HarmNet: A Framework for Adaptive Multi-Turn Jailbreak Attacks on Large Language Models

2025 0 cit.
100%
attack

Uncovering the Vulnerability of Large Language Models in the Financial Domain via Risk Concealment

2025 0 cit.
100%
attack

Tree-based Dialogue Reinforced Policy Optimization for Red-Teaming Attacks

2025 0 cit.
100%