Domaiq

Category: pua · Aliases: None known · Sample count (EMBER 2018): 63 · Enrichment: expert-seo · Updated: 2026-06-09

Overview

Adware:Win32/Domaiq is a prominent advertising-supported software family classified as a Potentially Unwanted Application (PUA) or browser hijacker.

Overview for Users and Analysts
While everyday users might view Domaiq merely as an annoyance that changes their homepage and floods them with pop-ups, cybersecurity experts recognize it as a persistent threat that actively degrades the security posture of an endpoint. Domaiq exists to generate fraudulent advertising revenue (click fraud) by forcibly redirecting user traffic through affiliate networks.

Infection and Evasion Strategies
Domaiq relies heavily on deceptive software installers. During the installation of a desired freeware application, Domaiq is silently unpacked and installed. It immediately begins modifying browser configurations (hijacking the default search engine, home page, and new tab page) and installing malicious BHOs (Browser Helper Objects). To maintain its presence against user removal attempts, Domaiq often employs defense evasion tactics: it may dynamically generate randomized filenames for its core executables and create hidden Windows Services that monitor and restore its components if they are deleted.

Forensic Footprint
Incident responders tracking Domaiq will frequently observe unauthorized modifications to browser shortcut files (.lnk files) and anomalous outbound HTTP traffic directed towards known advertising and tracking domains. EDR solutions typically flag its aggressive injection into browser processes and its unauthorized modifications to HKLM\SOFTWARE\Microsoft\Internet Explorer\Main.

MITRE ATT&CK Techniques

Observed techniques used by this family, mapped to the MITRE ATT&CK framework:

TechniqueNameTactic
T1189Drive-by CompromiseInitial Access
T1546.015Event Triggered Execution: Component Object Model HijackingPrivilege Escalation
T1562.001Impair Defenses: Disable or Modify ToolsDefense Evasion
T1112Modify RegistryDefense Evasion
T1543.003Create or Modify System Process: Windows ServicePersistence

Generated Detections (Boilerplate)

These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.

YARA Rule

rule MALWARE_WIN_DOMAIQ {
    meta:
        description = "Detects Domaiq (pua)"
        author = "SystemHelpdesk Boilerplate Generator"
        date = "2026-07-06"
    strings:
        $s1 = "domaiq" ascii wide nocase
    condition:
        uint16(0) == 0x5a4d and any of them
}

Sigma Rule

title: Suspicious Domaiq Activity
id: 6d58423670d86061b4782dee5afd46c4
status: experimental
description: Detects generic indicators of the domaiq malware family.
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
        CommandLine|contains:
            - "*domaiq*"
    condition: selection
level: medium

Containment & Response Steps

Ordered checklist for responders. Adapt to your environment and engage professional support for active incidents.

  1. Deploy enterprise EDR solutions or specialized anti-adware utilities to cleanly terminate Domaiq's hidden monitoring services.
  2. Audit all browser shortcut files (`.lnk`) on the desktop and taskbar, removing any malicious URLs appended to the target paths.
  3. Purge the system registry of Domaiq's persistence keys, specifically checking for rogue Browser Helper Objects (BHOs).
  4. Clear all browser caches, cookies, and extension directories to ensure no residual tracking scripts remain active.

What to Avoid

Common mistakes during response to this family that can destroy evidence, spread the infection, or worsen recovery.

  1. Do not click on any pop-ups or warnings generated by Domaiq, as these often lead to the installation of secondary, more severe malware.
  2. Avoid manual registry editing unless conducted by an expert, as Domaiq often obfuscates its keys among critical Windows system entries.

References & External Analysis

Related Families (Category: pua)

Explore other malware families in the same category:

Need help with an active incident? Published by the SystemHelpdesk team.

Machine-readable

Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/domaiq.json

Ecosystem & Interactive Environments

This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.