Domen – Sophisticated Social Engineering Toolkit

Domen is a malware delivery toolkit that uses extensive reconnaissance and social engineering techniques to ensure its delivery campaigns are successful. Domen is able to target desktop and mobile users in thirty different languages across more than twenty countries.

The group operating Domen use previously compromised websites, primarily running content management systems or blogging platforms, as initial watering holes. The group will then place an HTML iframe element containing Domen on the compromised sites. Users are directed to the sites via malicious adverts or redirects from other legitimate sites. There are also unconfirmed reports suggesting the group distribute links to the compromised sites via spam email campaigns.

The idea of this kit is to compromise a website, usually WordPress, and use that to display an overlay (loaded as an iframe) on the viDomensitors’ screens. The overlay entices visitors to install an update that really downloads the NetSupport RAT.

Once a user reaches a compromised site, Domen will execute several scripts to collect user and system information including operating system version, location and browser activity. It will then use this information to display an overlay asking the user to download a relevant product or technology. Interacting with this overlay will download the intended payload, which will differ depending on the user profile and device operating system.

A look at the domain on VirusTotal

Affected Platforms

  • Microsoft Windows – All versions
  • Apple iOS – All versions
  • Apple macOS – All versions
  • Google Android – All versions

Indicators of Compromise


  • asasasqwqq[.]xyz
  • bitbucket[.]org/execuseme1/1312/downloads/download[.]hta
  • chrom-update[.]online
  • drumbaseuk[.]com
  • mnmnmnmnmnmn[.]club/qweeewwqe/112233[.]exe
  • sygicstyle[.]xyz
  • xyxyxyxyxy[.]xyz/wwwwqwe/11223344[.]exe

SHA256 File Hashes

  • 58585d7b8d0563611664dccf79564ec1028af6abb8867526acaca714e1f8757d
  • 9c69a1d81133bc9d87f28856245fbd95bd0853a3cfd92dc3ed485b395e5f1ba0
  • b832dc81727832893d286decf50571cc740e8aead34badfdf1b05183d2127957


Jason Davies

UK based technology professional, with an interest in computer security and telecoms.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: