Malware Campaign DollyWay Breaches 20,000 WordPress Sites

Edward Zhou
Edward Zhou

CEO & Founder

 
July 17, 2025 5 min read

Malware campaign 'DollyWay' breached 20,000 WordPress sites

WordPress
A malware operation dubbed 'DollyWay' has been operating since 2016, compromising over 20,000 WordPress sites globally to redirect users to malicious sites. This campaign has evolved significantly, utilizing advanced evasion, reinfection, and monetization strategies.

According to GoDaddy researcher Denis Sinegubko, the latest version (v3) of DollyWay functions as a large-scale scam redirection system. Historically, it has also distributed more harmful payloads like ransomware and banking trojans. A recent report by GoDaddy explains that the operation was named after the tell-tale string found in some variations of the malware: define('DOLLY_WAY', 'World Domination').

Thousands of stealthy infections

DollyWay v3 primarily targets vulnerable WordPress sites by exploiting n-day flaws in plugins and themes. As of February 2025, it generates 10 million fraudulent impressions per month by redirecting visitors to fake dating, gambling, crypto, and sweepstakes sites.

Landing page DollyWay redirects victims to
The campaign uses VexTrio and LosPollos affiliate networks to monetize its operations after filtering visitors through a Traffic Direction System (TDS). This system analyzes and redirects web traffic based on various factors such as location, device type, and referrer. Cybercriminals typically use TDS systems to send users to phishing sites or malware downloads.

The websites are infected via script injection with 'wp_enqueue_script,' dynamically loading a second script from the compromised site. This second stage collects visitor referrer data to help categorize redirection traffic, then loads the TDS script that validates target visitors for redirection.

JavaScript snippet designed to perform conditional redirection to a scam website
The malware uses affiliate tracking parameters, ensuring attackers receive payment for each redirection. Notably, the final redirect occurs only when the visitor interacts with a page element, evading detection by passive scanning tools.

Auto-reinfection ensures persistence

Sinegubko notes that DollyWay is a persistent threat, automatically reinfecting a site with every page load, complicating removal efforts. The malware spreads PHP code across all active plugins and adds a copy of the WPCode plugin, which contains obfuscated malware snippets.

The hackers hide WPCode from the WordPress plugin list, preventing administrators from detecting or deleting it. Additionally, DollyWay creates admin users with random 32-character hex strings, hiding these accounts from the admin panel and making them visible only through direct database inspection.

GoDaddy has shared a complete list of indicators of compromise (IoCs) associated with DollyWay to assist in defending against this threat.

WordPress Sites Turned Weapon: VexTrio and Affiliates

Cybersecurity
VexTrio's Traffic Distribution Service (TDS) has been linked to other operations, indicating a sophisticated cybercriminal enterprise designed to disseminate malicious content. VexTrio operates as a group of malicious adtech companies that distribute scams and harmful software via different advertising formats, including smartlinks and push notifications, according to Infoblox.

The malicious adtech companies under VexTrio include Los Pollos, Taco Loco, and Adtrafico, which form a commercial affiliate network. This network connects malware actors with advertising affiliates who promote various illicit schemes, including gift card fraud and phishing sites.

VexTrio's operations have faced setbacks, such as a November 2024 revelation that Los Pollos was part of their network, leading to changes in tactics among threat actors relying on this network.

DollyWay World Domination: Eight Years of Evolving Website Malware

DollyWay World Domination Website Malware Campaign & Operation
GoDaddy Security researchers have linked multiple malware campaigns into a single operation known as "DollyWay World Domination." This operation has compromised over 20,000 websites globally in the past eight years. The latest campaign demonstrates sophisticated capabilities, including cryptographically signed data transfers and automatic reinfection mechanisms.

The malware works exclusively on WordPress sites, leveraging a distributed network of Command and Control (C2) and TDS nodes hosted on compromised sites. Historical campaigns have included aggressive payloads, but the current focus is on redirecting site visitors through injected redirect scripts.

Technical analysis of current campaign (DollyWay v3)

DollyWay v3 employs a sophisticated four-stage injection chain designed to evade detection:

Stage 1: Initial injection

The first stage uses WordPress's wp_enqueue_script function to append a link to a dynamically generated script whenever someone visits an infected domain. Each injection includes a unique 32-character hexadecimal parameter.

Stage 2: Dynamic loading and referrer collection

This stage dynamically loads the next script while collecting information for the TDS.

Stage 3: TDS script injection

At this point, the malware generates a script that loads from three random nodes (third-party infected sites) that act as TDS.

Stage 4: The redirect

The final scripts returned by the TDS nodes contain the actual redirect code, leading visitors to VexTrio/LosPollos links.

Persistent reinfection mechanism

The malware reinfects sites with each page load through complex procedures that disable security plugins, re-obfuscate injections, and create new malicious snippets. The presence of malicious admin users further complicates detection and removal efforts.

Malware Redirects WordPress Traffic to Harmful Sites

Redirects WordPress Traffic to Harmful Sites
Recent investigations revealed a malware infection redirecting WordPress traffic to suspicious URLs. This form of malicious code was injected into the theme's functions.php, leading to the distribution of information-stealing malware.

The malware employs techniques to bypass detection by checking for specific cookies and filtering requests based on user agents. It uses complex regular expressions to filter requests and redirects users to potentially harmful domains.

Potential Impact of the Malware

The primary payload of this malware is redirecting users, but it may also create hidden backdoors for persistent access. Attackers can leverage this method to compromise sensitive data and inject further malicious content into the victim's website.

How Was the Site Likely Infected?

Infections may occur due to outdated plugins, poorly designed custom code, pre-existing backdoors, or compromised user accounts. The attackers behind such infections may aim to damage the website’s reputation, impact search rankings, exploit traffic, or inject further spam or malware.

Mitigation Tips for WordPress Website Administrators

Website administrators should monitor for unusual update prompts, review installed plugins, reset admin passwords, and enable multi-factor authentication.

For users, it is advisable to install specialized security software to prevent interactions with compromised websites.

Explore our services at undefined for more information on protecting your website against these threats. Contact us today for expert assistance in securing your WordPress site.

Edward Zhou
Edward Zhou

CEO & Founder

 

CEO & Founder of Gopher Security, leading the development of Post-Quantum cybersecurity technologies and solutions..

Related Articles

Ransomware Attacks Target Russian Vodka and Healthcare Sectors

The Novabev Group, parent company of the Beluga vodka brand, experienced a ransomware attack on July 14, 2025, causing significant disruptions. The attack affected WineLab, the company's liquor store chain, leading to a three-day closure of over 2,000 locations in Russia. The company reported that the attack crippled its IT infrastructure, particularly point-of-sale systems and online services. Novabev Group stated, "The company maintains a principled position of rejecting any interaction with cybercriminals and refuses to fulfill their demands."

By Alan V Gutnov July 19, 2025 3 min read
Read full article

Retail Sector Faces Surge in Ransomware Attacks: A 2025 Analysis

Publicly disclosed ransomware attacks on the retail sector globally surged by 58% in Q2 2025 compared to Q1, with UK-based firms being particularly targeted, according to a report by BlackFog. This spike in attacks follows high-profile breaches affecting retailers like Marks & Spencer (M&S), The Co-op, and Harrods, attributed to the threat actor known as Scattered Spider.

By Alan V Gutnov July 19, 2025 2 min read
Read full article

AI-Driven Lcryx Ransomware Emerges in Cryptomining Botnet

A cryptomining botnet active since 2019 has incorporated a likely AI-generated ransomware known as Lcryx into its operations. Recent analysis by the FortiCNAPP team at FortiGuard Labs identified the first documented incident linking H2miner and Lcryx ransomware. This investigation focused on a cluster of virtual private servers (VPS) utilized for mining Monero.

By Edward Zhou July 19, 2025 3 min read
Read full article

Preventing ClickFix Attacks: Safeguarding Against Human Error

ClickFix is an emerging social engineering technique utilized by threat actors to exploit human error. This technique involves misleading users into executing malicious commands under the guise of providing "quick fixes" for common computer issues. Threat actors use familiar platforms and deceptive prompts to encourage victims to paste and run harmful scripts.

By Alan V Gutnov July 19, 2025 3 min read
Read full article