The DollyWay malware operation has been targeting WordPress sites since 2016, compromising over 20,000 sites globally. Initially, it distributed severe threats like ransomware and banking trojans, but it has since evolved into a sophisticated redirection campaign. As of 2025, DollyWay v3 now generates millions of fraudulent impressions by redirecting users to fake sites related to dating, gambling, and cryptocurrency. This process involves a Traffic Direction System (TDS) to control redirections based on the user’s location, device type, and referral data, making the attacks highly customizable.
The malware is primarily spread through script injections that exploit vulnerabilities in WordPress plugins and themes.
Once a site is compromised, a second-stage script collects referrer data, helping to filter and categorize redirection traffic. The malware ensures persistence by constantly reinfecting the site with every page load. It spreads its malicious PHP code across active plugins, even installing a hidden copy of the WPCode plugin to evade detection. By hiding these elements from site administrators, the malware becomes difficult to remove.
DollyWay v3 is heavily monetized through affiliate networks like VexTrio and LosPollos.
The system uses JavaScript to redirect visitors only when they interact with a page element, making detection challenging for passive scanning tools. These malicious redirects are designed to earn revenue for the attackers with every successful redirection to a scam site. To further ensure stealth, the malware hides its true nature by using random hex strings to create admin user accounts, which are invisible on the site’s admin panel unless directly viewed in the database.
One of the key challenges in combating DollyWay is its advanced reinfection strategy. The malware automatically reattaches itself to compromised sites every time a page is loaded, which severely complicates the cleanup process. Its persistence is ensured by adding hidden admin accounts, which can only be spotted by inspecting the database directly. GoDaddy’s security team has released indicators of compromise (IoCs) to help organizations defend against this threat. These IoCs, along with further details of DollyWay’s infrastructure, will be shared in an upcoming post to help the wider community stay ahead of evolving tactics.
