DollyWay Malware Campaign Breaches Over 20,000 WordPress Sites

Abhimanyu Singh
Abhimanyu Singh

Engineering Manager

 
June 4, 2025 2 min read

DollyWay Malware Operation Overview

The DollyWay malware operation has been active since 2016, compromising over 20,000 WordPress sites worldwide. It primarily targets vulnerable sites through n-day exploits in plugins and themes. GoDaddy researchers have linked this operation to a sophisticated threat actor that uses a well-organized infrastructure and advanced evasion techniques DollyWay World Domination.

DollyWay World Domination Website Malware Campaign & Operation

Campaign Mechanics

DollyWay redirects site visitors to fake dating, gambling, and crypto sites, generating approximately 10 million fraudulent impressions each month. The malware's monetization strategy involves utilizing affiliate networks like VexTrio and LosPollos, which filter and redirect users based on their location and device type.

Landing page DollyWay redirects victims to
The infection process begins with a script injection that exploits the WordPress wp_enqueue_script function, loading a second script that collects visitor data and determines the appropriate redirection.

Reinfection and Persistence

DollyWay is known for its persistence; it automatically reinfects compromised sites with every page load. The malware spreads its code across all active plugins and installs the WPCode plugin, which contains obfuscated malware snippets. This makes disinfection particularly challenging since the WPCode plugin is hidden from the WordPress dashboard.

In addition to hiding its presence, the malware creates malicious admin accounts with random hexadecimal usernames, further complicating detection and removal efforts.

Traffic Direction System (TDS)

The latest version, known as DollyWay v3, employs a Traffic Direction System (TDS) that evaluates various visitor parameters before executing redirects. This system ensures that logged-in users, known bots, and visitors without referrers are excluded from redirection, significantly reducing the risk of detection by security tools.

JavaScript snippet designed to perform conditional redirection to a scam website
Using a combination of three TDS nodes, the malware ensures redundancy in the redirection process. Each node serves a specific category of scam links, keeping the operation efficient and profitable.

Backdoor Mechanisms

DollyWay incorporates advanced backdoor mechanisms that allow attackers to execute arbitrary PHP code on compromised sites. When a request containing a specific identifier is detected, the malware can create PHP files that enable further exploitation.

The malware also captures admin login credentials by monitoring POST requests, allowing attackers to maintain access even if the initial admin accounts are discovered and deleted.

Indicators of Compromise (IoCs)

GoDaddy has shared comprehensive indicators of compromise associated with the DollyWay malware to assist in detection and remediation efforts. This includes identifying malicious admin users, the presence of the WPCode plugin, and various obfuscated code patterns.

To safeguard against threats like DollyWay, organizations can utilize GrackerAI's AI-powered cybersecurity marketing platform. GrackerAI helps you transform security news into strategic content opportunities, enabling your marketing team to produce timely, relevant content that resonates with cybersecurity professionals.

Explore our services at GrackerAI or contact us for more information on how we can enhance your cybersecurity content strategy.

Abhimanyu Singh
Abhimanyu Singh

Engineering Manager

 

Engineering Manager driving innovation in AI-powered SEO automation. Leads the development of systems that automatically build and maintain scalable SEO portals from Google Search Console data. Oversees the design and delivery of automation pipelines that replace traditional $360K/year content teams—aligning engineering execution with business outcomes.

Related Articles

Optimizing SEO for AI Search: Best Practices and Strategies

Bay Area, CA - Salazar Digital has developed a marketing strategy designed to excel in AI-driven search rankings. As artificial intelligence reshapes how search engines evaluate and rank content, traditional SEO methods alone are insufficient. Salazar Digital combines technical expertise, creative content strategies, and user-centric design to enhance visibility and user engagement.

By Hitesh Kumawat July 29, 2025 4 min read
Read full article

Leveraging AI Analytics for Customer Engagement and Business Growth

Customer Profitability Analysis AI Agents are transforming how businesses understand and maximize customer value. These digital teammates utilize advanced machine learning to deliver real-time insights, predict future profitability, and provide granular analysis of customer profitability. By automating complex data processing and offering actionable recommendations, they streamline what was once a labor-intensive process into a dynamic powerhouse of predictive analytics.

By Govind Kumar July 29, 2025 4 min read
Read full article

Launch of New Master’s Programs in Digital Marketing Worldwide

The University of Technology Bahrain (UTB) has launched its Master of Science in Digital Marketing program, highlighted during a ceremony attended by key figures in the education sector. Dr. Hasan Almulla, President of UTB, expressed gratitude to the Higher Education Council and emphasized the program's relevance in the rapidly evolving field of digital marketing. "The field of digital marketing is witnessing unprecedented growth, and our program is designed to keep up with this transformation," he stated.

By Ankit Lohar July 28, 2025 3 min read
Read full article

400,000 WordPress Sites at Risk: Critical Plugin Flaw Exposed

A serious vulnerability, known as CVE-2025-24000, has been identified in the Post SMTP WordPress plugin, which is utilized by over 400,000 websites. This vulnerability allows low-privileged users to take control of administrator accounts due to broken access controls in the plugin’s REST API. The flaw, rated with a CVSS score of 8.8, has been addressed in version 3.3.0 of the plugin.

By Vijay Shekhawat July 28, 2025 3 min read
Read full article