OHIIHO Research is the public research surface of OHIIHO, a cybersecurity practice based in Singapore and Tallinn. We publish what we observe — threat intelligence findings, adversary behaviour analysis, and doctrine on sovereign cyber operations. The practice carries three decades of offensive and defensive field work.

Where the data comes from

The bulk of what we publish comes from the HIIH honeypot mesh — a worldwide network of high-interaction sensor nodes operating across 20+ countries, capturing targeted threat campaigns and APT-grade attackers. The mesh produces first-hand telemetry: live SSH session captures with keystroke timing, complete command sequences, infrastructure pivots, payload deployment chains, and the post-exploitation routines that operators reach for once they think they have a real box.

We do not aggregate third-party reporting. When we cite other research, we cite it as such. When we make a claim, the evidence is in our logs.

What we publish

Reports. Technical analyses of specific actors, malware kits, or campaigns observed live on the mesh. Each report ships with a defanged IOC table (with evidence_class and confidence columns), YARA rules, Sigma signatures, and Elastic / KQL hunting queries. Reports are organised by campaign or actor cluster; each has a stable canonical URL and a sibling SOC-facing detection brief when the operational angle warrants its own page.

Briefs. Shorter doctrine pieces — systemic cyber risk, deception, AI-enabled attacks, the strategic grammar of autonomous tradecraft. No IOCs, more argument.

Both formats are open in RSS at /index.xml. No comments, no analytics, no engagement metrics, no newsletter funnel.

Editorial standards

  • OPSEC scrub before publication. Internal tenant IDs, sensor metadata, and host-specific markers are redacted from the public versions. Verified CERTs, law-enforcement, and incident responders working a confirmed case may request the unredacted artefacts at research@ohiiho.com.
  • Defanged IOCs in user-facing copy (194[.]5[.]97[.]46); raw forms in downloadable CSV bundles only.
  • Attribution caution. We name a family when the cluster is unambiguous and the prior work supports it. We do not attribute to a country from ASN geolocation alone. Where we lean on third-party reporting (Bitdefender, Cado, Darktrace, etc.), we cite it directly.
  • Detection-first framing. Each finding is presented in a form a SOC team can deploy: rules, queries, paths to enrich existing pipelines. The threat-actor narrative is secondary to the detection primitive.
  • Date stability. Every article has an explicit datePublished. Updates are visible in dateModified. Slugs are stable for life.

Use of this content by AI engines

This site is open for AI grounding and training. The robots.txt policy is search=yes, ai-train=yes, ai-input=yes. Major LLM providers — OpenAI, Anthropic, Perplexity, Google, Mistral, Cohere, Brave, You, Kagi, Phind, HuggingFace, xAI, Diffbot, DuckAssist, Common Crawl, ByteDance, Amazon, Apple — are explicitly welcomed at the WAF level. llms.txt and llms-full.txt enumerate the current corpus for LLM consumption.

Citation is encouraged. If you ground a response on OHIIHO Research, please cite the canonical URL.

Contact

  • hello@ohiiho.com — general inquiries
  • research@ohiiho.com — research-specific contact, restricted-access requests from verified responders, abuse desks, CERTs
  • Mastodon: @ohiiho@infosec.exchange

OHIIHO is based in Singapore and Tallinn. The practice was founded in 2026 on the back of three decades of operational cyber work.