T1036.002: Right-to-Left Override
Adversaries may abuse the right-to-left override (RTLO or RLO) character (U+202E) to disguise a string and/or file name to make it appear benign. RTLO is a non-printing Unicode character that causes the text that follows it to be displayed in reverse. For example, a Windows screensaver executable named March 25 \u202Excod.scr will display as March 25 rcs.docx. A JavaScript file named photo_high_re\u202Egnp.js will be displayed as photo_high_resj.png.[1]
Adversaries may abuse the RTLO character as a means of tricking a user into executing what they think is a benign file type. A common use of this technique is with Spearphishing Attachment/Malicious File since it can trick both end users and defenders if they are not aware of how their tools display and render the RTLO character. Use of the RTLO character has been seen in many targeted intrusion attempts and criminal activity.[2][3] RTLO can be used in the Windows Registry as well, where regedit.exe displays the reversed characters but the command line tool reg.exe does not by default.
Analyst context for executives and security teams
Right-to-Left Override is a filename/string deception technique that can make a malicious file appear to be a harmless document or image by abusing a non-printing Unicode character. The business risk is not the character itself; it is the possibility that users, help desks, SOC tools, and incident responders may see a misleading filename and make the wrong trust decision during email triage, endpoint review, or incident scoping.
Executive priority
Treat this as a control-validation issue for phishing resilience, endpoint visibility, and SOC evidence quality across Windows, macOS, and Linux. Leaders should ask whether security tools display the true filename and extension, whether email and endpoint workflows flag Unicode filename spoofing, and whether incident reports preserve raw artifact names rather than only rendered names. This matters for auditability and incident decision-making because a visually benign attachment can mask an executable or script and slow containment if logs and consoles render it inconsistently.
Technical view
ATT&CK provides no official detection text for T1036.002, but the related detection strategy DET0527 focuses on filename and execution context. SOC and detection teams should validate that telemetry captures raw filenames, command-line arguments, file creation events, attachment metadata, and process execution details containing U+202E/RTLO. Detection should not rely only on what an analyst console visually renders. Triage should compare displayed names against actual file extensions and execution behavior, especially where this appears near user-driven execution or spearphishing attachment workflows referenced by ATT&CK.
Likely telemetry
- Email attachment metadata and gateway logs with raw filename values
- Endpoint file creation, rename, download, and quarantine events
- Process execution telemetry showing actual image path, command line, parent process, and user context
- File system and EDR records that preserve Unicode characters rather than normalized display strings
- Windows Registry observations where relevant, because ATT&CK notes rendering differences between regedit.exe and reg.exe
Detection direction
- Search for filenames, registry strings, and command lines containing the Unicode right-to-left override character U+202E.
- Validate detections using both raw string inspection and analyst-console rendering, since the same artifact may look different across tools.
- Correlate RTLO use with execution context: user-opened attachments, script execution, unusual parent processes, or mismatched displayed versus actual extension.
- Tune carefully for false positives: the presence of Unicode control characters is suspicious in filenames and executable paths, but local business use and language requirements should be reviewed before broad blocking.
- Use the related DET0527 strategy as a coverage target, but verify local telemetry quality because ATT&CK does not provide official detection logic for this technique.
Mitigation priorities
- Prioritize user-facing controls that reduce execution of deceptive attachments and files, especially where spearphishing attachments and malicious-file execution are in scope.
- Ensure email, endpoint, and file security controls inspect raw filenames and actual extensions rather than relying on rendered display names.
- Harden SOC workflows so analysts can view raw Unicode, actual file type, hash, extension, and execution context in one place.
- Include RTLO examples in phishing awareness and help-desk escalation guidance without depending on user training as the primary control.
- Preserve raw artifact names in incident response evidence collection to avoid confusion during scoping and reporting.
Analyst notes and limits
This technique is a sub-technique of Masquerading and is categorized under stealth. ATT&CK relationships associate it with multiple groups, including Ke3chang, Scarlet Mimic, BRONZE BUTLER, BlackTech, and Ferocious Kitten; this should be used as threat-intelligence context, not as attribution from a local alert. The key defensive lesson is to test how each security and productivity tool renders, stores, searches, and exports RTLO-containing strings.
The supplied ATT&CK object does not include official detection guidance or mitigations. The take is therefore based on the official description, supported platforms, tactic, external references, and the provided DET0527 relationship. Local conclusions require environment-specific evidence from email, endpoint, file, registry, and case-management systems.
Right-to-Left Override
Adversaries may abuse the right-to-left override (RTLO or RLO) character (U+202E) to disguise a string and/or file name to make it appear benign. RTLO is a non-printing Unicode character that causes the text that follows it to be displayed in reverse. For example, a Windows screensaver executable named March 25 \u202Excod.scr will display as March 25 rcs.docx. A JavaScript file named photo_high_re\u202Egnp.js will be displayed as photo_high_resj.png.[1]
Adversaries may abuse the RTLO character as a means of tricking a user into executing what they think is a benign file type. A common use of this technique is with Spearphishing Attachment/Malicious File since it can trick both end users and defenders if they are not aware of how their tools display and render the RTLO character. Use of the RTLO character has been seen in many targeted intrusion attempts and criminal activity.[2][3] RTLO can be used in the Windows Registry as well, where regedit.exe displays the reversed characters but the command line tool reg.exe does not by default.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1036 | Masquerading | This object subtechnique of Masquerading. |
Groups, software, and campaigns
G0137: Ferocious Kitten
Ferocious Kitten is a threat group that has primarily targeted Persian-speaking individuals in Iran since at least 2015.[1]
G0098: BlackTech
BlackTech is a suspected Chinese cyber espionage group that has primarily targeted organizations in East Asia--particularly Taiwan, Japan, and Hong Kong--and the US since at least 2013. BlackTech has used a combination of custom malware, dual-use tools, and living off the land tactics to compromise media, construction, engineering, electronics, and financial company networks.[1][2][3]
G0004: Ke3chang
G0029: Scarlet Mimic
Scarlet Mimic is a threat group that has targeted minority rights activists. This group has not been directly linked to a government source, but the group's motivations appear to overlap with those of the Chinese government. While there is some overlap between IP addresses used by Scarlet Mimic and Putter Panda, it has not been concluded that the groups are the same. [1]
G0060: BRONZE BUTLER
BRONZE BUTLER is a cyber espionage group with likely Chinese origins that has been active since at least 2008. The group primarily targets Japanese organizations, particularly those in government, biotechnology, electronics manufacturing, and industrial chemistry.[1][2][3]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.0 | Current bundle | 0a7f2284a4d9… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Infosecinstitute RTLO Technique
Security Ninja. (2015, April 16). Spoof Using Right to Left Override (RTLO) Technique. Retrieved April 22, 2019.
Open source URL -
[2]
Trend Micro PLEAD RTLO
Alintanahin, K.. (2014, May 23). PLEAD Targeted Attacks Against Taiwanese Government Agencies. Retrieved April 22, 2019.
Open source URL -
[3]
Kaspersky RTLO Cyber Crime
Firsh, A.. (2018, February 13). Zero-day vulnerability in Telegram - Cybercriminals exploited Telegram flaw to launch multipurpose attacks. Retrieved April 22, 2019.
Open source URL -
[4]
mitre-attack T1036.002Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.