DollyWay Malware Campaign
DollyWay, a malware operation active since 2016, has compromised over 20,000 WordPress sites globally. This ongoing campaign has grown more sophisticated over the years, refining its evasion, re-infection, and monetization strategies, making it a significant threat to site security.
Table of Contents
DollyWay’s Evolution into a Tactic Redirection System
Initially, DollyWay distributed ransomware and banking trojans, posing a direct threat to site visitors. However, in its current version (DollyWay v3), the malware has shifted focus to operating as a scam redirection system, leading users to fraudulent sites.
Recent research has revealed that DollyWay is part of a more extensive, long-running operation known as 'DollyWay World Domination.' The operation includes multiple campaigns that share similar code, infrastructure, and monetization tactics. The malware is named after the string found in its code:
How DollyWay v3 Compromises Thousands of WordPress Sites
DollyWay v3 targets vulnerable WordPress sites by exploiting n-day flaws in plugins and themes. Once a site is compromised, the malware redirects visitors to malicious sites offering fake dating, gambling, cryptocurrency scams, and sweepstakes.
As of February 2025, DollyWay is responsible for generating over 10 million fraudulent impressions per month, directing traffic to scam pages that are monetized through VexTrio and LosPollos affiliate networks. This redirection process is managed through a Traffic Direction System (TDS) that filters users based on specific characteristics.
The Three-Stage Infection Process
- Injection and Redirection Setup: The malware injects a script into the site using wp_enqueue_script, loading a second unsafe script from the compromised site.
- Traffic Filtering: The second script analyzes visitor referrer data, categorizing the redirection targets. Users are not redirected if they:
- There is no referrer (who directly visited the website).
- Are detected as bots.
- Are logged-in WordPress users, including admins.
- Final Redirection to Fraudulent Pages: Three randomly infected sites act as TDS nodes, loading hidden JavaScript that redirects the visitor to VexTrio or LosPollos scam pages. This redirection only happens when the visitor clicks on a page element, making it harder to detect.
DollyWay’s Persistence and Stealth Techniques
DollyWay has developed a range of techniques to ensure its persistence on infected sites. Once it compromises a WordPress site, the malware ensures it reinfects with every page load, making removal difficult. Here are its key tactics:
- Spreading PHP code across active plugins.
- Injecting malicious code into the WPCode plugin (a third-party tool used to modify WordPress without altering core files).
- Hiding WPCode from the plugin list makes it invisible to administrators and more challenging to remove.
Additionally, the malware creates hidden admin accounts with random 32-character hex strings, which are visible only via direct database inspection, ensuring attackers maintain control over the site.
Conclusion: A Persistent and Evolving Threat
DollyWay is an ongoing and resilient malware campaign that continues to evolve with increasingly sophisticated tactics. Its ability to:
- Reinfect sites automatically
- Evade detection through hidden scripts and admin accounts
- Monetize redirection traffic through fraud-related networks
…makes it a serious threat for WordPress site owners worldwide. Website administrators must remain vigilant and update themes, plugins, and security protocols regularly to mitigate the risks of infection.
