A malware operation dubbed ‘DollyWay’ has been underway since 2016, compromising over 20,000 WordPress websites globally to redirect customers to malicious websites.
The marketing campaign has advanced considerably up to now eight years, leveraging superior evasion, re-infection, and monetization methods.
In response to GoDaddy researcher Denis Sinegubko, DollyWay has been functioning as a large-scale rip-off redirection system in its newest model (v3). Nevertheless, within the previous, it has distributed extra dangerous payloads like ransomware and banking trojans.
“GoDaddy Safety researchers have uncovered proof linking a number of malware campaigns right into a single, long-running operation we have named ‘DollyWay World Domination’,” explains a latest report by Godaddy.
“Whereas beforehand regarded as separate campaigns, our analysis reveals these assaults share widespread infrastructure, code patterns, and monetization strategies – all showing to be linked to a single, subtle menace actor.
“The operation was named after the next tell-tale string, which is present in some variations of the malware: outline(‘DOLLY_WAY’, ‘World Domination’).”
1000’s of stealthy infections
DollyWay v3 is a sophisticated redirection operation that targets susceptible WordPress websites utilizing n-day flaws on plugins and themes to compromise them.
As of February 2025, DollyWay generates 10 million fraudulent impressions per 30 days by redirecting WordPress website guests to faux relationship, playing, crypto, and sweepstakes websites.

Supply: GoDaddy
The marketing campaign is monetized by way of VexTrio and LosPollos affiliate networks after filtering guests by way of a Site visitors Path System (TDS).
A Site visitors Distribution System analyzes and redirects net site visitors based mostly on numerous features of a customer, resembling their location, gadget kind, and referrer. Cybercriminals generally use malicious TDS programs to redirect customers to phishing websites or malware downloads.
The web sites are breached by way of a script injection with ‘wp_enqueue_script,’ which dynamically hundreds a second script from the compromised website.
The second stage collects customer referrer knowledge to assist categorize the redirection site visitors after which hundreds the TDS script that decides on the validity of the targets.
Direct web site guests that don’t have any referrer, usually are not bots (the script has a hardcoded record of 102 recognized bot user-agents), and usually are not logged-in WordPress customers (together with admins) are thought-about invalid and usually are not redirected.
The third stage selects three random contaminated websites to function TDS nodes after which hundreds hidden JavaScript from one in all them to carry out the ultimate redirection to VexTrio or LosPollos rip-off pages.

Supply: GoDaddy
The malware makes use of affiliate monitoring parameters to make sure attackers receives a commission for every redirection.
It is price noting that the ultimate redirect solely happens when the customer interacts with a web page aspect (clicks), evading passive scanning instruments that solely study web page hundreds.
Auto-reinfection ensures persistence
Sinegubko explains that DollyWay is a really persistent menace that robotically reinfects a website with each web page load, so eradicating it’s notably onerous.
It achieves this by spreading its PHP code throughout all lively plugins and likewise provides a replica of the WPCode plugin (if not already put in) that accommodates obfuscated malware snippets.
WPCode is a third-party plugin permitting admins so as to add small snippets of “code” that modify WordPress performance with out immediately modifying theme information or WordPress code.

Supply: GoDaddy
As a part of an assault, the hackers cover WPCode from the WordPress plugin record so directors can’t see or delete it, making disinfection sophisticated.
DollyWay additionally creates admin customers named after random 32-character hex strings and retains these accounts hidden within the admin panel. They’re solely seen by way of direct database inspection.
GoDaddy shared the whole record of the indications of compromise (IoCs) related to DollyWay to assist defend towards this menace.
It would publish extra particulars in regards to the operation’s infrastructure and shifting techniques in a follow-up publish.

