ARMOR++: Multi-Agent Orchestrated Multi-Primitive Transfer Attacks Against Deepfake Detectors
This paper introduces ARMOR++, a highly transferable black-box adversarial attack framework targeting deepfake detectors. Addressing the lack of semantic awareness in existing attacks and their inability to remain effective under strict no-query constraints, ARMOR++ leverages the Qwen2.5-VL vision-language model for spatial-semantic priors, orchestrated by the Qwen3 large language model for primitive selection, adaptive hyperparameter reparameterization, and entropy-regularized perturbation mixing. By integrating five complementary primitives—dense optimization, saliency-based methods, spatial transformations, frequency-domain perturbations, and block-structure modifications—ARMOR++ effectively attacks diverse detectors with heterogeneous inductive biases. Experiments on the AADD-2025 benchmark demonstrate that ARMOR++ significantly outperforms both agent-based and non-agent baselines across both high- and low-quality image regimes, substantially improving blind-target attack success rates and revealing reliability gaps in current detector deployments.
Background and Context
The security infrastructure surrounding deepfake detection technologies is currently facing a severe crisis of reliability, particularly within black-box adversarial transfer scenarios. Existing detection models predominantly rely on fragile, architecture-specific forensic cues that fail to generalize across different generative backends. This dependency creates a significant vulnerability gap where the robustness of these systems degrades rapidly when subjected to adversarial perturbations. While prior research has attempted to stress-test these detectors using adversarial methods, a critical limitation persists: most existing approaches lack deep semantic awareness of the image content. Furthermore, these methods often struggle to maintain effectiveness under strict no-query constraints, especially when the perturbation strategy must transfer from convolutional neural network (CNN) surrogate models to Transformer-based target models. In such cross-architecture migrations, the attack efficacy typically suffers from substantial attenuation, rendering many current evaluation metrics optimistic and disconnected from real-world threat landscapes.
To address this critical bottleneck, the ARMOR++ framework has been introduced as a robust, multi-agent system specifically designed to achieve high-transferability deepfake evasion. The core innovation of this work lies in its introduction of an agent orchestration mechanism that coordinates multiple specialized modules. This architecture not only enhances the stealth of the generated perturbations but also significantly improves the generalization capability against unknown detectors. By simulating a more realistic adversarial environment, ARMOR++ provides a more accurate assessment of the actual security boundaries of current deepfake detection systems. This research fills a notable void in the study of semantic-aware adversarial attacks, offering a crucial reference benchmark for the development of more resilient defense mechanisms in the future.
Deep Analysis
From a technical implementation perspective, ARMOR++ synergistically combines the capabilities of vision-language models with large language models to execute sophisticated attacks. The framework utilizes the Qwen2.5-VL vision-language model to extract spatial-semantic priors from input images. This allows the attack process to understand the structural features and semantic content of the image, ensuring that the generated perturbations maintain semantic consistency with the original content. Subsequently, the Qwen3 large language model acts as the agent orchestrator. It is responsible for dynamically selecting the optimal attack primitives, executing adaptive hyperparameter reparameterization, and performing entropy-regularized perturbation mixing. This design enables the system to flexibly adjust its strategy based on the specific characteristics of the input image, moving beyond static, one-size-fits-all attack vectors.
ARMOR++ integrates five complementary attack primitives that cover dense optimization, saliency-based methods, spatial transformations, frequency-domain perturbations, and block-structure modifications. These primitives target different feature dimensions, allowing the system to effectively exploit the heterogeneous inductive biases present in diverse detectors. By coordinating these multi-domain primitives, ARMOR++ generates adversarial examples that are difficult for detectors to identify, achieving comprehensive coverage from local feature manipulation to global semantic alteration. The integration of these diverse techniques ensures that the attack is not limited by the specific vulnerabilities of a single detection method, thereby maximizing the transferability of the adversarial samples across different detector architectures.
Industry Impact
The experimental validation of ARMOR++ was conducted on the AADD-2025 benchmark, covering both low-quality and high-quality image regimes. The results demonstrate that ARMOR++ significantly outperforms both agent-based and non-agent baselines in terms of blind-target attack success rates (ASR). The performance advantage is statistically significant, particularly when facing unknown detectors, highlighting the framework's superior transferability. Ablation studies further reveal that the integration of all five primitives is crucial for maximizing attack effectiveness; using any single primitive in isolation fails to achieve optimal results. This finding underscores the necessity of a multi-faceted approach in adversarial attacks, where the synergy between different perturbation types creates a more robust and versatile attack vector.
Furthermore, the research analyzed the attack performance under various defense configurations. Even against robust defense settings, ARMOR++ maintained a high attack success rate. These results indicate a significant reliability gap in current deepfake detectors when confronted with semantic-aware, multi-agent attacks. The existing defense mechanisms are insufficient to handle such complex adversarial threats, suggesting that many deployed systems may be operating under a false sense of security. This revelation has profound implications for the industry, as it exposes the fragility of current detection standards and calls for a reevaluation of how security is measured and enforced in deepfake mitigation strategies.
Outlook
The findings from ARMOR++ have far-reaching implications for both the open-source community and industrial deployment. First, the framework exposes the inherent vulnerabilities of deepfake detection systems in black-box environments, serving as a wake-up call for industry stakeholders. It emphasizes the need to consider adversarial attack risks during the deployment phase and to prioritize robustness training in model development. By highlighting these weaknesses, ARMOR++ encourages a shift towards more resilient detection architectures that can withstand sophisticated, multi-primitive attacks.
Second, the multi-agent orchestration mechanism proposed in this framework offers a new paradigm for future adversarial attack research. It demonstrates the immense potential of combining vision-language models with large language models in generating adaptive and semantically coherent adversarial examples. For the open-source community, the release of the ARMOR++ code and benchmark results will facilitate the establishment of fairer evaluation standards. This will promote a healthy competition between detectors and attackers, driving continuous improvement in both fields. Finally, this research underscores the importance of integrating cross-modal semantic understanding with adversarial attacks in the field of AI security. It points the way toward the development of smarter, more adaptive security defense systems capable of maintaining information integrity in an increasingly complex digital content ecosystem.