DollyWay Malware: The Silent Takeover of 20,000+ WordPress Sites

Listen to this Post

A Global Cyber Threat Since 2016

A sophisticated malware campaign, dubbed DollyWay, has been silently compromising over 20,000 WordPress websites worldwide since 2016. The operation, which has evolved through multiple versions, is now a large-scale scam redirection system that filters and redirects web traffic to fraudulent sites, generating millions of impressions per month.

GoDaddy security researcher Denis Sinegubko has linked DollyWay to multiple malware campaigns that were once thought to be separate. The latest version (v3) primarily directs unsuspecting visitors to fake dating platforms, gambling websites, crypto scams, and sweepstakes schemes. However, in earlier versions, it was also responsible for distributing ransomware and banking trojans.

A Highly Evasive Malware Operation

The DollyWay malware operates stealthily by exploiting vulnerabilities in WordPress plugins and themes. It uses n-day flaws, which are known security weaknesses that haven’t been patched by website owners, to gain entry and persist on infected sites.

As of February 2025, DollyWay is estimated to generate 10 million fraudulent ad impressions per month using a Traffic Direction System (TDS). This system filters visitors based on their location, device type, and referral source, ensuring that only real, valuable users are redirected to scam websites.

The infection process involves:

  1. Script Injection – The malware injects malicious code via the wp_enqueue_script function to dynamically load a secondary script.
  2. Traffic Categorization – The malware collects visitor data to determine if they are legitimate targets for redirection.
  3. Multi-Layered Redirection – It selects three random infected sites as TDS nodes and then loads hidden JavaScript to execute the final redirection.
  4. Monetization via Affiliate Networks – DollyWay attackers use VexTrio and LosPollos affiliate networks to get paid per redirection.

Advanced Evasion & Reinfection Tactics

One of

This is achieved by:

  • Embedding its PHP code across multiple active plugins.
  • Installing a hidden, malicious copy of the WPCode plugin, which allows hackers to execute obfuscated scripts without detection.
  • Hiding rogue admin users (with randomized 32-character hex names) in the WordPress database, making them invisible in the admin panel.

Since the malware requires user interaction (such as clicking on a page element) to trigger redirections, it effectively evades passive scanning tools, making detection and removal extremely challenging.

What’s Next?

GoDaddy researchers have released a list of Indicators of Compromise (IoCs) to help security professionals detect and mitigate DollyWay infections. They also plan to publish additional reports detailing the infrastructure and evolving tactics of this sophisticated cyber operation.

What Undercode Say:

1. The Significance of Long-Running Malware Campaigns

DollyWay is a perfect example of how persistent cyber threats evolve over time. What started as a payload delivery system for ransomware has now transformed into a highly optimized scam operation that monetizes web traffic at an industrial scale. This highlights how cybercriminals adapt their tactics to stay profitable while avoiding detection.

  1. The Rise of Malicious Traffic Distribution Systems (TDS)
    Traffic Distribution Systems (TDS) have long been used in online advertising to efficiently direct visitors to relevant content. However, cybercriminals now weaponize TDS networks to filter and monetize traffic for fraudulent purposes. DollyWay showcases an advanced implementation of malicious TDS, ensuring only high-value targets reach scam destinations.

3. The Challenge of Website Security

WordPress remains one of the most widely used content management systems (CMS), making it a prime target for cybercriminals. The DollyWay attack chain exploits outdated plugins and themes, emphasizing the critical importance of regular updates and security audits for website owners.

4. Affiliate Fraud as a Monetization Strategy

DollyWay’s integration with VexTrio and LosPollos highlights a growing trend in affiliate fraud. Cybercriminals manipulate advertising models to generate revenue, proving that click-based commissions are still vulnerable to exploitation. This calls for stricter monitoring and fraud detection mechanisms within affiliate networks.

5. Reinfection Tactics & Stealthy Persistence

One of the most alarming aspects of DollyWay is its self-reinfection mechanism. The ability to hide admin users, obfuscate code, and reinstall itself automatically makes traditional removal methods ineffective. Advanced cybersecurity measures, including behavior-based detection and proactive threat hunting, are necessary to counter such threats.

6. Why Passive Scanners Fail

DollyWay’s final redirection only triggers when a user interacts with a page. This ensures that traditional passive scanning tools (which only inspect page loads) fail to detect it. This demonstrates a crucial flaw in many automated security tools, reinforcing the need for real-time, interactive malware analysis.

7. The Need for Improved Cybersecurity Awareness

Many website owners remain unaware of advanced malware campaigns like DollyWay. Regular security training and proactive measures, such as limiting plugin installations, enforcing strong access controls, and using security plugins, are essential in preventing infections.

8. The Future of DollyWay & Similar Malware

As security experts analyze and expose DollyWay, cybercriminals will likely evolve their tactics again. Future malware variants may become even more sophisticated, requiring AI-driven cybersecurity solutions to detect and mitigate threats in real time.

Fact Checker Results:

  1. DollyWay is a Real & Ongoing Threat – Verified through GoDaddy’s security research, confirming its existence since 2016 with active infections as of 2025.
  2. 10 Million Impressions Per Month is Plausible – Based on traffic redirection techniques, such numbers are achievable through large-scale infection campaigns.
  3. Reinfections & Hidden Admins Are Common Tactics – Malware persistence through hidden users and obfuscated scripts is well-documented in WordPress-related cyber threats.

References:

Reported By: https://www.bleepingcomputer.com/news/security/malware-campaign-dollyway-breached-20-000-wordpress-sites/
Extra Source Hub:
https://www.github.com
Wikipedia
Undercode AI

Image Source:

Pexels
Undercode AI DI v2

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image