DollyWay Malware: Breaching WordPress at Scale
EJ
Cybercriminals have been perfecting their craft for years, and the latest evolution in WordPress malware is the infamous DollyWay campaign. Active since 2016, DollyWay has now breached over 20,000 WordPress sites globally, redirecting unsuspecting visitors to fraudulent pages that lure them into scams. In its latest incarnation—DollyWay v3—the malware has evolved into an advanced redirection system, employing sophisticated evasion, reinfection, and monetization strategies.
What Is DollyWay?
Originally, DollyWay was linked to various malware campaigns, including ransomware and banking trojans. However, recent research by GoDaddy security expert Denis Sinegubko has revealed that what were once thought to be separate campaigns are actually facets of a single, long-running operation, aptly dubbed “DollyWay World Domination.” The campaign gets its name from a tell-tale string found in some versions of the malware: define ('DOLLY_WAY', 'World Domination').
How DollyWay Works
DollyWay v3 targets vulnerable WordPress sites by exploiting n-day flaws in plugins and themes. Once a site is compromised, the malware injects a script via the wp_enqueue_script function, dynamically loading additional malicious code. This two-stage process begins by gathering visitor data—such as referrer information and device details—and then filtering the traffic through a sophisticated Traffic Distribution System (TDS).
The TDS analyzes the visitors and, based on factors like location, device type, and whether they are logged into WordPress, decides if a user should be redirected. If the criteria are met, the user is directed to one of three randomly selected infected sites that act as TDS nodes. Here, hidden JavaScript performs the final redirection to scam pages affiliated with networks like VexTrio and LosPollos. Notably, the final redirection only occurs upon user interaction, such as clicking a page element, thereby evading passive scanning tools.
Persistence Through Auto-Reinfection
A key feature of DollyWay is its persistence. The malware reinfects compromised sites on every page load, making it extremely difficult to remove. It spreads its PHP code across all active plugins and even installs a copy of the WPCode plugin (if not already present) that carries obfuscated malicious snippets. To further complicate detection, DollyWay hides this WPCode plugin from the WordPress admin panel and creates hidden administrator accounts with random 32-character hexadecimal names. This multi-layered approach ensures that even if some components are removed, the malware can reinstate itself without raising suspicion.
The Bigger Picture
As of February 2025, DollyWay generates over 10 million fraudulent impressions per month, redirecting visitors to scam sites promoting fake dating services, gambling, cryptocurrency schemes, and sweepstakes. This broad monetization strategy underscores the indiscriminate nature of the attack, affecting both consumer and enterprise sites across various industries.
Conclusion
DollyWay represents a significant threat to WordPress site owners, highlighting how persistent and adaptive cybercriminals have become. Its sophisticated multi-stage infection process—combined with auto-reinfection tactics—makes it exceptionally difficult to eradicate once a site is compromised. Organizations must remain vigilant, ensuring that all plugins and themes are up-to-date, and implementing robust security practices to safeguard their web assets.
Stay Protected with TechHorizon Consulting
At TechHorizon Consulting, we understand that your online presence is critical to your business success. We specialize in securing web platforms by identifying vulnerabilities, enforcing strong authentication measures, and implementing proactive monitoring to thwart malware campaigns like DollyWay.