Since 2016, the DollyWay malware campaign has compromised over 20,000 WordPress sites worldwide, redirecting visitors to fraudulent pages promoting scams like fake dating, gambling, and cryptocurrency schemes.
Researchers at GoDaddy discovered that DollyWay is part of a long-running operation linked to multiple malware campaigns, all sharing infrastructure, code similarities, and monetization tactics.
The malware exploits vulnerabilities in WordPress plugins and themes, injecting scripts that filter traffic using a Traffic Direction System (TDS) to maximize profit through affiliate networks like VexTrio and LosPollos.
DollyWay’s infection process involves injecting scripts that categorize visitors before redirecting them, ensuring that only real users—excluding bots, logged-in WordPress admins, and direct visitors—are sent to scam pages.
To maintain persistence, DollyWay automatically reinfects sites by spreading its malicious PHP code across plugins and stealthily installing the WPCode plugin, which is hidden from WordPress administrators.
Additionally, it creates hidden admin accounts disguised with random 32-character hex strings, making detection and removal extremely difficult.
The final redirection to scam sites only occurs when a user interacts with the page, evading passive security scans that only analyze page loads.
GoDaddy has shared indicators of compromise (IoCs) to help mitigate the threat and plans to release more details on DollyWay’s infrastructure and evolving tactics in a future update.
Logging you in...
Loading IntenseDebate Comments...