A malware operation dubbed ‘DollyWay’ has been underway since 2016, compromising over 20,000 WordPress websites globally to redirect customers to malicious websites.
The marketing campaign has developed considerably up to now eight years, leveraging superior evasion, re-infection, and monetization methods.
Based on GoDaddy researcher Denis Sinegubko, DollyWay has been functioning as a large-scale rip-off redirection system in its newest model (v3). Nonetheless, within the previous, it has distributed extra dangerous payloads like ransomware and banking trojans.
“GoDaddy Safety researchers have uncovered proof linking a number of malware campaigns right into a single, long-running operation we have named ‘DollyWay World Domination’,” explains a latest report by Godaddy.
“Whereas beforehand regarded as separate campaigns, our analysis reveals these assaults share frequent infrastructure, code patterns, and monetization strategies – all showing to be linked to a single, subtle risk actor.
“The operation was named after the next tell-tale string, which is present in some variations of the malware: outline(‘DOLLY_WAY’, ‘World Domination’).”
Hundreds of stealthy infections
DollyWay v3 is a complicated redirection operation that targets weak WordPress websites utilizing n-day flaws on plugins and themes to compromise them.
As of February 2025, DollyWay generates 10 million fraudulent impressions per 30 days by redirecting WordPress website guests to faux courting, playing, crypto, and sweepstakes websites.
Supply: GoDaddy
The marketing campaign is monetized by way of VexTrio and LosPollos affiliate networks after filtering guests by way of a Site visitors Course System (TDS).
A Site visitors Distribution System analyzes and redirects internet visitors primarily based on varied features of a customer, corresponding to their location, system kind, and referrer. Cybercriminals generally use malicious TDS programs to redirect customers to phishing websites or malware downloads.
The web sites are breached through a script injection with ‘wp_enqueue_script,’ which dynamically hundreds a second script from the compromised website.
The second stage collects customer referrer information to assist categorize the redirection visitors after which hundreds the TDS script that decides on the validity of the targets.
Direct web site guests that haven’t any referrer, should not bots (the script has a hardcoded checklist of 102 identified bot user-agents), and should not logged-in WordPress customers (together with admins) are thought-about invalid and should not redirected.
The third stage selects three random contaminated websites to function TDS nodes after which hundreds hidden JavaScript from one in all them to carry out the ultimate redirection to VexTrio or LosPollos rip-off pages.
Supply: GoDaddy
The malware makes use of affiliate monitoring parameters to make sure attackers receives a commission for every redirection.
It is value noting that the ultimate redirect solely happens when the customer interacts with a web page component (clicks), evading passive scanning instruments that solely look at web page hundreds.
Auto-reinfection ensures persistence
Sinegubko explains that DollyWay is a really persistent risk that robotically reinfects a website with each web page load, so eradicating it’s notably laborious.
It achieves this by spreading its PHP code throughout all energetic plugins and in addition provides a replica of the WPCode plugin (if not already put in) that incorporates obfuscated malware snippets.
WPCode is a third-party plugin permitting admins so as to add small snippets of “code” that modify WordPress performance with out immediately modifying theme information or WordPress code.
Supply: GoDaddy
As a part of an assault, the hackers disguise WPCode from the WordPress plugin checklist so directors can not see or delete it, making disinfection sophisticated.
DollyWay additionally creates admin customers named after random 32-character hex strings and retains these accounts hidden within the admin panel. They’re solely seen by way of direct database inspection.
GoDaddy shared the entire checklist of the symptoms of compromise (IoCs) related to DollyWay to assist defend towards this risk.
It is going to publish extra particulars in regards to the operation’s infrastructure and shifting techniques in a follow-up submit.
Based mostly on an evaluation of 14M malicious actions, uncover the highest 10 MITRE ATT&CK strategies behind 93% of assaults and the way to defend towards them.