Skip to content
Vol. 1 · Ed. 2026
CyberGlossary
日本語
Entry № 1062

RTLO Override (Right-to-Left Override Attack)

RTLO Override (Right-to-Left Override Attack) とは何ですか?

RTLO Override (Right-to-Left Override Attack)A filename and string obfuscation technique that inserts the U+202E Unicode right-to-left override character to flip the rendered order of characters, masking executables as PDFs, images, or docs.

The RTLO attack abuses the Unicode bidirectional algorithm by inserting U+202E (RIGHT-TO-LEFT OVERRIDE) into a filename or string. From that point on, characters are rendered right-to-left until a paragraph break, so `invoice_U+202Efdp.exe` is displayed in Explorer, mail clients, and chat apps as `invoice_exe.pdf`. The file is still an executable — the operating system uses the raw byte order — but the user sees what looks like a harmless document. Variants substitute other bidi-control characters (U+200E, U+200F, U+2066-U+2069) and have been weaponized in phishing campaigns since at least 2011; the same family of tricks underlies the 2021 'Trojan Source' research (Boucher & Anderson) showing that BiDi controls in source code can hide back-doored logic from human reviewers while compilers see something different. Mitigations include stripping or visualizing BiDi controls in any UI that displays untrusted filenames, refusing to execute files containing control characters in their names, and linters that warn on BiDi characters inside source code.

  1. 01

    A phishing email attaches `vacation_photo_U+202Efdp.scr` which Outlook renders as `vacation_photo_rcs.pdf` until the user double-clicks it.

  2. 02

    A static analyzer added a check after the 2021 'Trojan Source' paper to fail builds containing unbalanced BiDi control characters in source files.

よくある質問

RTLO Override (Right-to-Left Override Attack) とは何ですか?

A filename and string obfuscation technique that inserts the U+202E Unicode right-to-left override character to flip the rendered order of characters, masking executables as PDFs, images, or docs. サイバーセキュリティの 攻撃と脅威 カテゴリに属します。

RTLO Override (Right-to-Left Override Attack) とはどういう意味ですか?

A filename and string obfuscation technique that inserts the U+202E Unicode right-to-left override character to flip the rendered order of characters, masking executables as PDFs, images, or docs.

RTLO Override (Right-to-Left Override Attack) はどのように機能しますか?

The RTLO attack abuses the Unicode bidirectional algorithm by inserting U+202E (RIGHT-TO-LEFT OVERRIDE) into a filename or string. From that point on, characters are rendered right-to-left until a paragraph break, so `invoice_U+202Efdp.exe` is displayed in Explorer, mail clients, and chat apps as `invoice_exe.pdf`. The file is still an executable — the operating system uses the raw byte order — but the user sees what looks like a harmless document. Variants substitute other bidi-control characters (U+200E, U+200F, U+2066-U+2069) and have been weaponized in phishing campaigns since at least 2011; the same family of tricks underlies the 2021 'Trojan Source' research (Boucher & Anderson) showing that BiDi controls in source code can hide back-doored logic from human reviewers while compilers see something different. Mitigations include stripping or visualizing BiDi controls in any UI that displays untrusted filenames, refusing to execute files containing control characters in their names, and linters that warn on BiDi characters inside source code.

RTLO Override (Right-to-Left Override Attack) からどのように防御しますか?

RTLO Override (Right-to-Left Override Attack) に対する防御は通常、上記の定義で述べたとおり、技術的統制と運用上の実践を組み合わせます。

RTLO Override (Right-to-Left Override Attack) の別名は何ですか?

一般的な別名: U+202E attack, Right-to-left override, Trojan Source filename。

関連用語