MITRE ATT&CK Technique
Defense Evasion T1036.002
Description

Adversaries may abuse the right-to-left override (RTLO or RLO) character (U+202E) to disguise a string and/or file name to make it appear benign. RTLO is a non-printing Unicode character that causes the text that follows it to be displayed in reverse. For example, a Windows screensaver executable named <code>March 25 \u202Excod.scr</code> will display as <code>March 25 rcs.docx</code>. A JavaScript file named <code>photo_high_re\u202Egnp.js</code> will be displayed as <code>photo_high_resj.png</code>.(Citation: Infosecinstitute RTLO Technique) Adversaries may abuse the RTLO character as a means of tricking a user into executing what they think is a benign file type. A common use of this technique is with [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001)/[Malicious File](https://attack.mitre.org/techniques/T1204/002) since it can trick both end users and defenders if they are not aware of how their tools display and render the RTLO character. Use of the RTLO character has been seen in many targeted intrusion attempts and criminal activity.(Citation: Trend Micro PLEAD RTLO)(Citation: Kaspersky RTLO Cyber Crime) RTLO can be used in the Windows Registry as well, where regedit.exe displays the reversed characters but the command line tool reg.exe does not by default.

Supported Platforms
Linux macOS Windows
Created

April 29, 2026

Last Updated

April 29, 2026

STIX Data 
{'created': '2020-02-10T19:55:29.385Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': 'Adversaries may abuse the right-to-left override (RTLO or '
                'RLO) character (U+202E) to disguise a string and/or file name '
                'to make it appear benign. RTLO is a non-printing Unicode '
                'character that causes the text that follows it to be '
                'displayed in reverse. For example, a Windows screensaver '
                'executable named <code>March 25 \\u202Excod.scr</code> will '
                'display as <code>March 25 rcs.docx</code>. A JavaScript file '
                'named <code>photo_high_re\\u202Egnp.js</code> will be '
                'displayed as <code>photo_high_resj.png</code>.(Citation: '
                'Infosecinstitute RTLO Technique)\n'
                '\n'
                'Adversaries may abuse the RTLO character as a means of '
                'tricking a user into executing what they think is a benign '
                'file type. A common use of this technique is with '
                '[Spearphishing '
                'Attachment](https://attack.mitre.org/techniques/T1566/001)/[Malicious '
                'File](https://attack.mitre.org/techniques/T1204/002) since it '
                'can trick both end users and defenders if they are not aware '
                'of how their tools display and render the RTLO character. Use '
                'of the RTLO character has been seen in many targeted '
                'intrusion attempts and criminal activity.(Citation: Trend '
                'Micro PLEAD RTLO)(Citation: Kaspersky RTLO Cyber Crime) RTLO '
                'can be used in the Windows Registry as well, where '
                'regedit.exe displays the reversed characters but the command '
                'line tool reg.exe does not by default.',
 'external_references': [{'external_id': 'T1036.002',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/techniques/T1036/002'},
                         {'description': 'Alintanahin, K.. (2014, May 23). '
                                         'PLEAD Targeted Attacks Against '
                                         'Taiwanese Government Agencies. '
                                         'Retrieved April 22, 2019.',
                          'source_name': 'Trend Micro PLEAD RTLO',
                          'url': 'https://blog.trendmicro.com/trendlabs-security-intelligence/plead-targeted-attacks-against-taiwanese-government-agencies-2/'},
                         {'description': 'Firsh, A.. (2018, February 13). '
                                         'Zero-day vulnerability in Telegram - '
                                         'Cybercriminals exploited Telegram '
                                         'flaw to launch multipurpose attacks. '
                                         'Retrieved April 22, 2019.',
                          'source_name': 'Kaspersky RTLO Cyber Crime',
                          'url': 'https://securelist.com/zero-day-vulnerability-in-telegram/83800/'},
                         {'description': 'Security Ninja. (2015, April 16). '
                                         'Spoof Using Right to Left Override '
                                         '(RTLO) Technique. Retrieved April '
                                         '22, 2019.',
                          'source_name': 'Infosecinstitute RTLO Technique',
                          'url': 'https://resources.infosecinstitute.com/spoof-using-right-to-left-override-rtlo-technique-2/'}],
 'id': 'attack-pattern--77eae145-55db-4519-8ae5-77b0c7215d69',
 'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
                        'phase_name': 'defense-evasion'}],
 'modified': '2025-10-24T17:48:58.683Z',
 'name': 'Right-to-Left Override',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'attack-pattern',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_deprecated': False,
 'x_mitre_detection': '',
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_is_subtechnique': True,
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_platforms': ['Linux', 'macOS', 'Windows'],
 'x_mitre_version': '1.1'}
Quick Actions
Edit TTP Update from Web
Related Threat Actors (5)
Ferocious Kitten
High
Ke3chang
High
BlackTech
High
BRONZE BUTLER
High
Scarlet Mimic
High
Back to TTPs
Dashboard About