Adware:Win32/Domaiq is a prominent advertising-supported software family classified as a Potentially Unwanted Application (PUA) or browser hijacker.
Overview for Users and Analysts
While everyday users might view Domaiq merely as an annoyance that changes their homepage and floods them with pop-ups, cybersecurity experts recognize it as a persistent threat that actively degrades the security posture of an endpoint. Domaiq exists to generate fraudulent advertising revenue (click fraud) by forcibly redirecting user traffic through affiliate networks.
Infection and Evasion Strategies
Domaiq relies heavily on deceptive software installers. During the installation of a desired freeware application, Domaiq is silently unpacked and installed. It immediately begins modifying browser configurations (hijacking the default search engine, home page, and new tab page) and installing malicious BHOs (Browser Helper Objects). To maintain its presence against user removal attempts, Domaiq often employs defense evasion tactics: it may dynamically generate randomized filenames for its core executables and create hidden Windows Services that monitor and restore its components if they are deleted.
Forensic Footprint
Incident responders tracking Domaiq will frequently observe unauthorized modifications to browser shortcut files (.lnk files) and anomalous outbound HTTP traffic directed towards known advertising and tracking domains. EDR solutions typically flag its aggressive injection into browser processes and its unauthorized modifications to HKLM\SOFTWARE\Microsoft\Internet Explorer\Main.
Observed techniques used by this family, mapped to the MITRE ATT&CK framework:
| Technique | Name | Tactic |
|---|---|---|
T1189 | Drive-by Compromise | Initial Access |
T1546.015 | Event Triggered Execution: Component Object Model Hijacking | Privilege Escalation |
T1562.001 | Impair Defenses: Disable or Modify Tools | Defense Evasion |
T1112 | Modify Registry | Defense Evasion |
T1543.003 | Create or Modify System Process: Windows Service | Persistence |
These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.
rule MALWARE_WIN_DOMAIQ {
meta:
description = "Detects Domaiq (pua)"
author = "SystemHelpdesk Boilerplate Generator"
date = "2026-07-06"
strings:
$s1 = "domaiq" ascii wide nocase
condition:
uint16(0) == 0x5a4d and any of them
}title: Suspicious Domaiq Activity
id: 6d58423670d86061b4782dee5afd46c4
status: experimental
description: Detects generic indicators of the domaiq malware family.
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
CommandLine|contains:
- "*domaiq*"
condition: selection
level: mediumOrdered checklist for responders. Adapt to your environment and engage professional support for active incidents.
Common mistakes during response to this family that can destroy evidence, spread the infection, or worsen recovery.
Explore other malware families in the same category:
Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/domaiq.json
This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.