The DollyWay malware operation, which has been active targeting WordPress sites since 2016, has now evolved into a sophisticated redirection campaign that has compromised over 20,000 sites globally. Initially spreading severe threats like ransomware and banking trojans, DollyWay v3, as of 2025, has transformed into a malicious operation that generates millions of fraudulent impressions by redirecting users to fake sites related to dating, gambling, and cryptocurrency. This new version of DollyWay utilizes a Traffic Direction System (TDS) to customize redirections based on the user’s location, device type, and referral data, making the attacks highly tailored and difficult to detect.
The primary method of spreading the DollyWay malware is through script injections that exploit vulnerabilities in WordPress plugins and themes. Once a site is compromised, a second-stage script collects referrer data to filter and categorize redirection traffic. The malware maintains persistence by continually reinfecting the site with every page load, spreading its malicious PHP code across active plugins and even installing a hidden copy of the WPCode plugin to avoid detection. By concealing these elements from site administrators, the malware becomes challenging to remove.
DollyWay v3 is heavily monetized through affiliate networks such as VexTrio and LosPollos. The system employs JavaScript to redirect visitors only when they interact with a page element, making detection difficult for passive scanning tools. These malicious redirects aim to generate revenue for the attackers with every successful redirection to a scam site. To further conceal its true nature, the malware creates hidden admin user accounts using random hex strings that are invisible on the site’s admin panel unless directly viewed in the database.
One of the significant challenges in combating DollyWay is its advanced reinfection strategy. The malware automatically reattaches itself to compromised sites every time a page is loaded, complicating the cleanup process. Its persistence is maintained through hidden admin accounts that can only be identified by inspecting the database directly. GoDaddy’s security team has released indicators of compromise (IoCs) to assist organizations in defending against this threat. These IoCs, along with additional details on DollyWay’s infrastructure, will be shared in a forthcoming post to help the broader community stay informed of evolving tactics.
In conclusion, the DollyWay malware operation has become a highly sophisticated and lucrative threat to WordPress sites worldwide. With its ability to customize redirections, evade detection, and persistently reinfect compromised sites, DollyWay poses a significant challenge to cybersecurity professionals. By sharing information and IoCs, organizations can better prepare to defend against this evolving malware and protect their websites from malicious attacks.