Massive ‘DollyWay’ Malware Operation Exploits Over 20,000 WordPress Sites Since 2016

A long-running cybercriminal operation dubbed “DollyWay” has been actively compromising WordPress websites for nearly a decade. With over 20,000 sites infected worldwide, the malware redirects users to scam pages while continuously evolving its tactics to stay undetected.

Eight Years of Stealthy Infections

Security researchers at GoDaddy have been tracking DollyWay, revealing its evolution from distributing banking trojans and ransomware to running large-scale scam redirections. Denis Sinegubko, a researcher at GoDaddy, explains that DollyWay’s latest version, v3, operates as a fraudulent traffic redirection system, making millions of impressions each month.

GoDaddy’s findings suggest that what was once thought to be multiple, separate malware campaigns is, in fact, one unified operation. The research uncovered shared infrastructure, coding similarities, and monetization techniques across different attacks, all linking back to a single threat actor.

“We’ve named this operation ‘DollyWay World Domination’ after a recurring string found in the malware’s code: define(‘DOLLY_WAY’, ‘World Domination’),” GoDaddy noted in its report.

A Profitable Redirection Scheme

DollyWay v3 exploits vulnerabilities in outdated WordPress plugins and themes. Once a site is compromised, it becomes part of a global scam network that generates around 10 million fraudulent impressions per month.

Victims visiting infected sites unknowingly get redirected to deceptive pages related to dating scams, cryptocurrency fraud, gambling schemes, and fake sweepstakes. The campaign monetizes these redirects through affiliate networks like VexTrio and LosPollos, both notorious for their involvement in shady online operations.

The redirection process follows a sophisticated Traffic Direction System (TDS), which filters users based on:

• Geolocation and device type
• Referral source
• User activity (e.g., whether they click on a page element)

Only valid targets—those not logged into WordPress and not identified as bots—are redirected to scam sites. The malware even selects three random infected sites as TDS nodes, ensuring that the final redirect remains difficult to track.

Reinfection Tactics Make Removal Challenging

DollyWay isn’t just about hijacking traffic; it’s designed to be nearly impossible to remove. The malware automatically reinfects sites with every page load, making cleanup efforts frustratingly ineffective.

Here’s how it ensures persistence:

• Malicious PHP code spreads across all active plugins.
• The malware installs and hides a copy of the WPCode plugin, which contains obfuscated scripts.
• It creates hidden admin accounts named with random 32-character hex strings, making them invisible unless manually inspected in the database.

Additionally, WPCode—a legitimate plugin used for inserting small code snippets—serves as a stealthy malware delivery vehicle. DollyWay modifies it to hide itself from the WordPress plugin list, preventing administrators from easily spotting and removing it.

Technical Breakdown of the Infection Chain

DollyWay follows a three-stage infection process:

1. Initial Injection: The malware exploits known vulnerabilities in WordPress plugins and themes, injecting a malicious script using ‘wp_enqueue_script’.
2. Filtering and Traffic Analysis: The injected script collects visitor data and determines whether they qualify for redirection.
3. Final Redirection: A JavaScript snippet selects three compromised sites as nodes, which then execute the final redirect to a scam site via the TDS system.

One crucial feature of DollyWay v3 is that the final redirection only happens when a user interacts with the webpage—such as clicking on an element. This helps the malware evade detection by automated security scanners that only analyze passive page loads.

What’s Next?

GoDaddy has released a list of indicators of compromise (IoCs) to help site owners detect and mitigate infections. The company also plans to publish further details on DollyWay’s infrastructure and tactics, aiming to disrupt this long-standing cybercriminal operation.

For WordPress administrators, the best defense remains:

• Keeping plugins and themes updated
• Regularly auditing installed plugins for unauthorized changes
• Checking database records for hidden admin accounts

With DollyWay proving to be a persistent and evolving threat, website owners must remain vigilant to avoid falling victim to this widespread malware campaign.