Threat Group Cards: A Threat Actor Encyclopedia Archived: 2026-04-05 17:52:52 UTC Home > List all groups > List all tools > List all groups using tool HotelAlfa Tool: HotelAlfa Names HotelAlfa Category Other Description (Novetta) HotelAlfa is a stripped down HTTP server that hosted the Guardians of Peace (GOP) hackers’ webpage announcing their demands against SPE as well as the locations of the data that the GOP attackers stole. Consisting of only 4 functions, HotelAlfa is an extremely simple piece of code and is clearly created for a limited purpose. For each incoming connection, HotelAlfa spins off a new thread to handle the request. The thread reads up to 4096 bytes from the client and scans the response for specific keywords. The request from the client does not necessarily need to conform or comply with the HTTP request standard. Instead, the request merely must contain the appropriate file extension otherwise the default HTML page is returned. HotelAlfa responds to .wav and .j p g file extensions with the appropriate file. HotelAlfa only supplies three files to the client: an HTML page, a WAV sound file, and a JPG image. These files are stored within the HotelAlfa binary’s resource section under the RC_DATA branch. Each file is encoded with XOR 0x63, requiring HotelAlfa to decode each file prior to transmitting the data back to the requesting client. When HotelAlfa sends a response back to the client, the response does conform to the HTTP 1.1 standard. Information Last change to this tool card: 20 April 2020 Download this tool card in JSON format All groups using tool HotelAlfa Changed Name Country Observed https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=2e259248-38c4-4ceb-9506-b28d0058c464 Page 1 of 2 APT groups   Lazarus Group, Hidden Cobra, Labyrinth Chollima 2007-May 2025 1 group listed (1 APT, 0 other, 0 unknown) Source: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=2e259248-38c4-4ceb-9506-b28d0058c464 https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=2e259248-38c4-4ceb-9506-b28d0058c464 Page 2 of 2