Massive ‘DollyWay’ Malware Operation Exploits Over 20,000 WordPress Sites Since 2016

<p>A long-running cybercriminal operation dubbed &&num;8220&semi;DollyWay&&num;8221&semi; has been actively compromising WordPress websites for nearly a decade&period; With over 20&comma;000 sites infected worldwide&comma; the malware redirects users to scam pages while continuously evolving its tactics to stay undetected&period;<&sol;p>&NewLine;<h2>Eight Years of Stealthy Infections<&sol;h2>&NewLine;<p>Security researchers at GoDaddy have been tracking DollyWay&comma; revealing its evolution from distributing banking trojans and ransomware to running large-scale scam redirections&period; Denis Sinegubko&comma; a researcher at GoDaddy&comma; explains that DollyWay’s latest version&comma; v3&comma; operates as a fraudulent traffic redirection system&comma; making millions of impressions each month&period;<&sol;p>&NewLine;<p>GoDaddy’s findings suggest that what was once thought to be multiple&comma; separate malware campaigns is&comma; in fact&comma; one unified operation&period; The research uncovered shared infrastructure&comma; coding similarities&comma; and monetization techniques across different attacks&comma; all linking back to a single threat actor&period;<&sol;p>&NewLine;<p>&&num;8220&semi;We&&num;8217&semi;ve named this operation &&num;8216&semi;DollyWay World Domination&&num;8217&semi; after a recurring string found in the malware’s code&colon; define&lpar;&&num;8216&semi;DOLLY&lowbar;WAY&&num;8217&semi;&comma; &&num;8216&semi;World Domination&&num;8217&semi;&rpar;&comma;&&num;8221&semi; GoDaddy noted in its report&period;<&sol;p>&NewLine;<p><a href&equals;"https&colon;&sol;&sol;www&period;theibulletin&period;com&sol;wp-content&sol;uploads&sol;2025&sol;03&sol;dollyway-malware-infects-wordpress-sites-2025&period;jpg"><img class&equals;"aligncenter size-full wp-image-56932" src&equals;"https&colon;&sol;&sol;www&period;theibulletin&period;com&sol;wp-content&sol;uploads&sol;2025&sol;03&sol;dollyway-malware-infects-wordpress-sites-2025&period;jpg" alt&equals;"dollyway-malware-infects-wordpress-sites-2025" width&equals;"1129" height&equals;"689" &sol;><&sol;a><&sol;p>&NewLine;<h2>A Profitable Redirection Scheme<&sol;h2>&NewLine;<p>DollyWay v3 exploits vulnerabilities in outdated WordPress plugins and themes&period; Once a site is compromised&comma; it becomes part of a global scam network that generates around 10 million fraudulent impressions per month&period;<&sol;p>&NewLine;<p>Victims visiting infected sites unknowingly get redirected to deceptive pages related to dating scams&comma; cryptocurrency fraud&comma; gambling schemes&comma; and fake sweepstakes&period; The campaign monetizes these redirects through affiliate networks like VexTrio and LosPollos&comma; both notorious for their involvement in shady online operations&period;<&sol;p>&NewLine;<p>The redirection process follows a sophisticated Traffic Direction System &lpar;TDS&rpar;&comma; which filters users based on&colon;<&sol;p>&NewLine;<ul data-spread&equals;"false">&NewLine;<li>Geolocation and device type<&sol;li>&NewLine;<li>Referral source<&sol;li>&NewLine;<li>User activity &lpar;e&period;g&period;&comma; whether they click on a page element&rpar;<&sol;li>&NewLine;<&sol;ul>&NewLine;<p>Only valid targets—those not logged into WordPress and not identified as bots—are redirected to scam sites&period; The malware even selects three random infected sites as TDS nodes&comma; ensuring that the final redirect remains difficult to track&period;<&sol;p>&NewLine;<h2>Reinfection Tactics Make Removal Challenging<&sol;h2>&NewLine;<p>DollyWay isn’t just about hijacking traffic&semi; it’s designed to be nearly impossible to remove&period; The malware automatically reinfects sites with every page load&comma; making cleanup efforts frustratingly ineffective&period;<&sol;p>&NewLine;<p>Here&&num;8217&semi;s how it ensures persistence&colon;<&sol;p>&NewLine;<ul data-spread&equals;"false">&NewLine;<li>Malicious PHP code spreads across all active plugins&period;<&sol;li>&NewLine;<li>The malware installs and hides a copy of the WPCode plugin&comma; which contains obfuscated scripts&period;<&sol;li>&NewLine;<li>It creates hidden admin accounts named with random 32-character hex strings&comma; making them invisible unless manually inspected in the database&period;<&sol;li>&NewLine;<&sol;ul>&NewLine;<p>Additionally&comma; WPCode—a legitimate plugin used for inserting small code snippets—serves as a stealthy malware delivery vehicle&period; DollyWay modifies it to hide itself from the WordPress plugin list&comma; preventing administrators from easily spotting and removing it&period;<&sol;p>&NewLine;<h2>Technical Breakdown of the Infection Chain<&sol;h2>&NewLine;<p>DollyWay follows a three-stage infection process&colon;<&sol;p>&NewLine;<ol start&equals;"1" data-spread&equals;"false">&NewLine;<li>Initial Injection&colon; The malware exploits known vulnerabilities in WordPress plugins and themes&comma; injecting a malicious script using &&num;8216&semi;wp&lowbar;enqueue&lowbar;script&&num;8217&semi;&period;<&sol;li>&NewLine;<li>Filtering and Traffic Analysis&colon; The injected script collects visitor data and determines whether they qualify for redirection&period;<&sol;li>&NewLine;<li>Final Redirection&colon; A JavaScript snippet selects three compromised sites as nodes&comma; which then execute the final redirect to a scam site via the TDS system&period;<&sol;li>&NewLine;<&sol;ol>&NewLine;<p>One crucial feature of DollyWay v3 is that the final redirection only happens when a user interacts with the webpage—such as clicking on an element&period; This helps the malware evade detection by automated security scanners that only analyze passive page loads&period;<&sol;p>&NewLine;<h2>What’s Next&quest;<&sol;h2>&NewLine;<p>GoDaddy has released a list of indicators of compromise &lpar;IoCs&rpar; to help site owners detect and mitigate infections&period; The company also plans to publish further details on DollyWay’s infrastructure and tactics&comma; aiming to disrupt this long-standing cybercriminal operation&period;<&sol;p>&NewLine;<p>For WordPress administrators&comma; the best defense remains&colon;<&sol;p>&NewLine;<ul data-spread&equals;"false">&NewLine;<li>Keeping plugins and themes updated<&sol;li>&NewLine;<li>Regularly auditing installed plugins for unauthorized changes<&sol;li>&NewLine;<li>Checking database records for hidden admin accounts<&sol;li>&NewLine;<&sol;ul>&NewLine;<p>With DollyWay proving to be a persistent and evolving threat&comma; website owners must remain vigilant to avoid falling victim to this widespread malware campaign&period;<&sol;p>&NewLine;