diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
index a6650612eb..addf3e9889 100644
--- a/src/qemu/qemu_domain.c
+++ b/src/qemu/qemu_domain.c
@@ -1628,6 +1628,7 @@ void qemuDomainObjCheckTaint(virQEMUDriverPtr driver,
 {
     size_t i;
     virQEMUDriverConfigPtr cfg = virQEMUDriverGetConfig(driver);
+    qemuDomainObjPrivatePtr priv = obj->privateData;
 
     if (cfg->privileged &&
         (!cfg->clearEmulatorCapabilities ||
@@ -1635,6 +1636,9 @@ void qemuDomainObjCheckTaint(virQEMUDriverPtr driver,
          cfg->group == 0))
         qemuDomainObjTaint(driver, obj, VIR_DOMAIN_TAINT_HIGH_PRIVILEGES, logFD);
 
+    if (priv->hookRun)
+        qemuDomainObjTaint(driver, obj, VIR_DOMAIN_TAINT_HOOK, logFD);
+
     if (obj->def->namespaceData) {
         qemuDomainCmdlineDefPtr qemucmd = obj->def->namespaceData;
         if (qemucmd->num_args || qemucmd->num_env)
diff --git a/src/qemu/qemu_domain.h b/src/qemu/qemu_domain.h
index 3826d0ba85..0bed50b11b 100644
--- a/src/qemu/qemu_domain.h
+++ b/src/qemu/qemu_domain.h
@@ -174,6 +174,8 @@ struct _qemuDomainObjPrivate {
     virCond unplugFinished; /* signals that unpluggingDevice was unplugged */
     const char *unpluggingDevice; /* alias of the device that is being unplugged */
     char **qemuDevices; /* NULL-terminated list of devices aliases known to QEMU */
+
+    bool hookRun;  /* true if there was a hook run over this domain */
 };
 
 typedef enum {
diff --git a/src/qemu/qemu_migration.c b/src/qemu/qemu_migration.c
index 331e18acf1..54c6feccae 100644
--- a/src/qemu/qemu_migration.c
+++ b/src/qemu/qemu_migration.c
@@ -2230,6 +2230,7 @@ qemuMigrationPrepareAny(virQEMUDriverPtr driver,
     virCapsPtr caps = NULL;
     char *migrateFrom = NULL;
     bool abort_on_error = !!(flags & VIR_MIGRATE_ABORT_ON_ERROR);
+    bool taint_hook = false;
 
     if (virTimeMillisNow(&now) < 0)
         return -1;
@@ -2300,6 +2301,10 @@ qemuMigrationPrepareAny(virQEMUDriverPtr driver,
 
                 virDomainDefFree(*def);
                 *def = newdef;
+                /* We should taint the domain here. However, @vm and therefore
+                 * privateData too are still NULL, so just notice the fact and
+                 * taint it later. */
+                taint_hook = true;
             }
         }
     }
@@ -2385,6 +2390,11 @@ qemuMigrationPrepareAny(virQEMUDriverPtr driver,
     if (VIR_STRDUP(priv->origname, origname) < 0)
         goto cleanup;
 
+    if (taint_hook) {
+        /* Domain XML has been altered by a hook script. */
+        priv->hookRun = true;
+    }
+
     if (!(mig = qemuMigrationEatCookie(driver, vm, cookiein, cookieinlen,
                                        QEMU_MIGRATION_COOKIE_LOCKSTATE |
                                        QEMU_MIGRATION_COOKIE_NBD)))