T1027.018
Obfuscated Files or Information: Invisible Unicode
Description from ATT&CK
Adversaries may abuse invisible or non-printing Unicode characters to conceal malicious content within files, scripts, or text. By inserting characters that do not visibly render, adversaries may hide data, alter how content is interpreted, or make malicious code appear as benign text or whitespace. Adversaries may encode these malicious payloads, using binary, Base64, or custom schemes, to be reconstructed at runtime through scripting features such as JavaScript Proxy traps,
eval(), or other dynamic execution methods. This technique enables adversaries to evade visual inspection and basic static analysis by hiding malicious encoded content in innocuous text.(Citation: PUAs Unicode - Eriksen)(Citation: Tycoon2FA - Unicode)(Citation: Unicode - Veracode)Unicode is a standardized character encoding model that assigns a unique numerical value, known as a code point, to every character across writing systems, enabling consistent text representation across platforms, applications, and languages. Code points are represented as
U+followed by a hexadecimal value and may be encoded using formats such asUTF-8orUTF-16. Adversaries may abuse the valid code points in Unicode that are not visibly rendered but still take up bytes, such as zero-width spaces, variation selectors, or bidirectional formatting controls, to conceal malicious payloads.(Citation: Tycoon2FA - Unicode)(Citation: GlassWorm - Unicode)(Citation: Unicode and Hidden Prompts - Perets)Adversaries may additionally exploit Private Use Area (PUA) characters, a range of code points reserved for custom assignment. PUA characters that are not defined by a font or application are typically rendered blank.(Citation: PUAs Unicode - Eriksen)
Unicode characters may also be leveraged in support of other techniques such as Phishing, Right-to-Left Override, or User Execution. For example, some adversaries may embed artificial intelligence (AI) prompt injections using invisible Unicode characters in emails or documents that appear benign when processed by AI systems.(Citation: LLMs and Unicode - Medium)(Citation: Invisible Prompt Injection - Trend Micro)
Atomic Tests
- Atomic Test #1: File Masquerading with Zero-Width Space
- Atomic Test #2: Invisible Unicode in Environment Variables
- Atomic Test #3: Binary Masquerading via Invisible Unicode
Atomic Test #1: File Masquerading with Zero-Width Space
Creates a file named 'secret.txt' but inserts a Zero-Width Space (U+200B) before the extension. This emulates how adversaries hide malicious files in plain sight, as they appear identical to legitimate files in File Explorer.
Supported Platforms: Windows
auto_generated_guid: 5917f0fd-c6d4-4af8-b89d-f3db06349c49
Attack Commands: Run with powershell!
$fileName = "secret" + [char]0x200B + ".txt"
New-Item -Path "$env:TEMP\$fileName" -ItemType "file" -Value "Hidden Unicode Content" -Force
Write-Host "Created file: $env:TEMP\$fileName"Cleanup Commands
$fileName = "secret" + [char]0x200B + ".txt"
Remove-Item -Path "$env:TEMP\$fileName" -ErrorAction IgnoreAtomic Test #2: Invisible Unicode in Environment Variables
Sets an environment variable that includes a Zero-Width Non-Joiner (U+200C). This emulates techniques used to hide configuration data or persistence paths from administrators performing manual audits.
Supported Platforms: Windows
auto_generated_guid: 125b1b41-bcef-42c3-acaa-a44303e3ffc1
Attack Commands: Run with powershell!
$varName = "PATH" + [char]0x200C
[Environment]::SetEnvironmentVariable($varName, "C:\Users\Public\Malicious", "User")
Write-Host "Hidden environment variable '$varName' set."Cleanup Commands
$varName = "PATH" + [char]0x200C
[Environment]::SetEnvironmentVariable($varName, $null, "User")Atomic Test #3: Binary Masquerading via Invisible Unicode
Copies a system binary (calc.exe) to a new name containing an invisible character (U+200D) and executes it. This tests the ability of EDRs to handle non-normalized file paths in process execution events.
Supported Platforms: Windows
auto_generated_guid: 28e30460-ce18-4974-8e6a-5a2bb74e5c07
Attack Commands: Run with powershell!
$hiddentarget = "$env:TEMP\calc" + [char]0x200D + ".exe"
Copy-Item "C:\Windows\System32\calc.exe" -Destination $hiddentarget
Start-Process $hiddentargetCleanup Commands
$hiddentarget = "$env:TEMP\calc" + [char]0x200D + ".exe"
Stop-Process -Name "calc*" -ErrorAction Ignore
Remove-Item $hiddentarget -ErrorAction IgnoreAtomic test(s) for this technique last updated: 2026-05-11 20:47:03 UTC