Home > List all groups > List all tools > List all groups using tool HotelAlfa

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Tool: HotelAlfa

Description(Novetta) HotelAlfa is a stripped down HTTP server that hosted the Guardians of Peace (GOP) hackers’ webpage announcing their demands against SPE as well as the locations of the data that the GOP attackers stole. Consisting of only 4 functions, HotelAlfa is an extremely simple piece of code and is clearly created for a limited purpose.

For each incoming connection, HotelAlfa spins off a new thread to handle the request. The thread reads up to 4096 bytes from the client and scans the response for specific keywords. The request from the client does not necessarily need to conform or comply with the HTTP request standard. Instead, the request merely must contain the appropriate file extension otherwise the default HTML page is returned. HotelAlfa responds to .wav and .j p g file extensions with the appropriate file.

HotelAlfa only supplies three files to the client: an HTML page, a WAV sound file, and a JPG image. These files are stored within the HotelAlfa binary’s resource section under the RC_DATA branch. Each file is encoded with XOR 0x63, requiring HotelAlfa to decode each file prior to transmitting the data back to the requesting client. When HotelAlfa sends a response back to the client, the response does conform to the HTTP 1.1 standard.

Last change to this tool card: 19 April 2020

Download this tool card in JSON format

All groups using tool HotelAlfa


APT groups

 Lazarus Group, Hidden Cobra, Labyrinth ChollimaNorth Korea2007-Spring 2021X

1 group listed (1 APT, 0 other, 0 unknown)

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
PGP Download PGP key