111/68 Friday, March 21, 2025
Since 2016, a long-running malware campaign known as “DollyWay” has infected more than 20,000 WordPress websites worldwide, redirecting users to malicious sites including dating scams, online gambling platforms, and various other fraudulent destinations. The campaign has evolved over the years, employing advanced evasion techniques and reinfection mechanisms to maintain persistence. According to Denis Sinegubko, a researcher at GoDaddy, DollyWay initially delivered dangerous malware like ransomware and banking trojans, but has since shifted to a large-scale user redirection system that generates revenue via affiliate networks such as VexTrio and LosPollos.
DollyWay exploits n-day vulnerabilities in WordPress plugins and themes to compromise websites. As of February 2025, it is responsible for more than 10 million fake interactions per month, redirecting users through VexTrio and LosPollos using a Traffic Distribution System (TDS). This system filters incoming traffic and selectively redirects users based on interactions with webpage elements, making it difficult for passive scanning tools—which only detect threats during page load—to identify malicious behavior.
The campaign also reinfects sites repeatedly by injecting malicious PHP code into active plugins and by installing and hiding the WPCode plugin, which contains malware-laced code snippets. It even creates hidden administrator accounts, making detection and removal extremely challenging.
GoDaddy researchers warn that DollyWay poses a serious and ongoing threat. WordPress administrators are strongly advised to keep software and plugins up to date, regularly audit the security of installed themes and plugins, and monitor their websites for any unusual activity.
