{
	"id": "c38a4ac3-a5ec-42bf-9395-9168e6b98f40",
	"created_at": "2026-04-29T02:22:03.433752Z",
	"updated_at": "2026-04-29T08:22:29.673826Z",
	"deleted_at": null,
	"sha1_hash": "ad494007ea6092b64ae50d92cc90c658e1e3894a",
	"title": "Spoof Using Right to Left Override (RTLO) Technique - InfoSec Resources",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 45614,
	"plain_text": "Spoof Using Right to Left Override (RTLO) Technique - InfoSec\r\nResources\r\nPublished: 2015-04-16 · Archived: 2026-04-29 02:03:42 UTC\r\nIn this article we will learn about the one of the most overlooked spoofing mechanisms, known as right to left\r\noverride (RTLO).\r\nWhat is RTLO?\r\nRIGHT TO LEFT OVERRIDE is a Unicode mainly used for the writing and the reading of Arabic or Hebrew text.\r\nUnicode has a special character, U+202e, that tells computers to display the text that follows it in right-to-left\r\norder. This vulnerability is used to disguise the names of files and can be attached to the carrier like email. For\r\nexample, the file name with ThisIsRTLOfileexe.doc is actually ThisIsRTLOfiledoc.exe, which is an executable\r\nfile with a U+202e placed just before “doc.”\r\nEthical Hacking Training – Resources (InfoSec)\r\nThough some email applications and services that block executable files from being included in messages also\r\nblock .exe programs that are obfuscated with this technique, unfortunately many mail applications don’t or can’t\r\nreliably scan archived and zipped documents, and the malicious files manipulated in this way are indeed being\r\nspammed out within zip archives.\r\nFor example, let’s create a file with Name TestingRTLO[U+202E]xcod.txt. “U+202E” can be copied and pasted\r\nfrom the above character map present in Windows. To make sure something is present in the character, do the\r\nfollowing steps:\r\nCreate a new text document and see its properties and note down its name:\r\nNow rename the file with the copied U+202E characters and see the change in file name:\r\nNow rename the File TestingRTLO[U+202E]xcod.txt with characters inserted and see the below results.\r\nFile extension types that can be dangerous\r\nThe below section lists the common file types that can be used to execute unwanted code in the system:\r\nhttps://web.archive.org/web/20151102094333/https://resources.infosecinstitute.com/spoof-using-right-to-left-override-rtlo-technique-2/\r\nPage 1 of 2\n\n.bat\r\n.exe\r\n.cmd\r\n.com\r\n.lnk\r\n.pif\r\n.scr\r\n.vb\r\n.vbe\r\n.vbs\r\n.wsh\r\nRemediation against RTLO\r\nThough most endpoint security solutions like antivirus detect this type of spoofing, and some IRC clients even\r\nchange the crafted malicious links back to original form, many mail applications don’t or can’t reliably scan\r\narchived and zipped documents, and the malicious files manipulated in this way are indeed being spammed out\r\nwithin zip archives. The biggest example of this is in the usage of the backdoor “Etumbot”. Some features of\r\nWindows also help to carry this type of attack, such as Windows hides the file extensions by default. Malicious\r\nindividuals can set any icon they want for let’s say a .exe file. A file named pic.jpg.exe using the standard image\r\nicon will look like a harmless image with Windows’ default settings.\r\nUncheck this selection and Windows will stop hiding extension for known file types.\r\nAnother good approach is to make sure that the folder where all the downloads take place should have its view set\r\nto ‘content’.\r\nThis will make sure that the files will appear in their original form despite all the changes.\r\nThough this technique is a bit old, it is still being used in backdoors like Etumbot, malware known as Sirefef, etc.\r\nLohit Mehta is a passionate Information Security professional.\r\nSource: https://web.archive.org/web/20151102094333/https://resources.infosecinstitute.com/spoof-using-right-to-left-override-rtlo-technique-2/\r\nhttps://web.archive.org/web/20151102094333/https://resources.infosecinstitute.com/spoof-using-right-to-left-override-rtlo-technique-2/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://web.archive.org/web/20151102094333/https://resources.infosecinstitute.com/spoof-using-right-to-left-override-rtlo-technique-2/"
	],
	"report_names": [
		"spoof-using-right-to-left-override-rtlo-technique-2"
	],
	"threat_actors": [],
	"ts_created_at": 1777429323,
	"ts_updated_at": 1777450949,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ad494007ea6092b64ae50d92cc90c658e1e3894a.pdf",
		"text": "https://archive.orkl.eu/ad494007ea6092b64ae50d92cc90c658e1e3894a.txt",
		"img": "https://archive.orkl.eu/ad494007ea6092b64ae50d92cc90c658e1e3894a.jpg"
	}
}