A large-scale malware campaign known as ‘DollyWay’ has been silently compromising WordPress websites since 2016. Over the past eight years, cybercriminals have infected more than 20,000 sites worldwide, redirecting unsuspecting visitors to malicious destinations.
Security researchers at GoDaddy have been tracking the malware’s evolution, revealing how it has grown into a sophisticated scam operation. While earlier versions were used to distribute ransomware and banking trojans, the latest iteration—DollyWay v3—focuses on redirections to fraudulent websites.
How the DollyWay Attack Works
DollyWay primarily targets WordPress sites by exploiting security vulnerabilities in outdated plugins and themes. Once a website is compromised, the malware injects a malicious script using the wp_enqueue_script function, which loads additional scripts to control redirections.
According to GoDaddy security expert Denis Sinegubko, the malware functions as a large-scale Traffic Direction System (TDS), filtering users based on specific parameters before sending them to deceptive websites. These destinations include fake dating, gambling, cryptocurrency, and sweepstakes sites, generating massive profits for cybercriminals.
DollyWay v3: A Stealthy Redirection System
Since February 2025, DollyWay v3 has been responsible for over 10 million fraudulent page impressions per month. It monetizes traffic through affiliate networks like VexTrio and LosPollos. Here’s how it operates:
Traffic Filtering: The malware analyzes visitors based on location, device type, and referrer. Users who arrive organically but don’t match the attackers’ criteria are excluded from redirections.
Malicious JavaScript Injection: Once a visitor qualifies, a hidden JavaScript snippet is loaded from three randomly selected infected sites. This ensures that redirections are difficult to track.
User Interaction Trigger: The final redirect occurs only when a user interacts with the webpage—such as clicking a link—helping the malware bypass passive scanning tools.
Persistent and Hard to Remove
One of DollyWay’s most dangerous aspects is its self-replicating mechanism. Each time a page is loaded, the malware reinfects the site, making removal extremely difficult. It achieves persistence in the following ways:
Hiding in Plugins: The malware spreads its PHP code across all active WordPress plugins.
Manipulating WPCode Plugin: If WPCode (a plugin for inserting custom code snippets) is not installed, DollyWay adds it and hides malicious scripts inside it. The plugin is also concealed from the WordPress admin panel, making it hard for site owners to detect.
Creating Hidden Admin Accounts: The malware generates administrator accounts with random 32-character hex strings as usernames. These accounts remain invisible unless directly inspected in the database.
Protecting Your WordPress Site from DollyWay
Given the scale and persistence of this malware, website owners must take proactive security measures to prevent infections. GoDaddy has released a list of indicators of compromise (IoCs) to help administrators identify and remove DollyWay.
Steps to Secure Your WordPress Site:
Update Regularly: Always keep WordPress core, plugins, and themes up to date to prevent attackers from exploiting known vulnerabilities.
Use Security Plugins: Install security tools like Wordfence or Sucuri to detect and block malicious scripts.
Scan for Malware: Regularly scan your website files for suspicious PHP code injections.
Check Admin Accounts: Verify user accounts and remove any unauthorized admin users.
Limit Plugin Installation: Avoid installing unnecessary plugins, especially those with limited security updates.
Enable Web Application Firewall (WAF): A WAF can help filter out malicious traffic before it reaches your site.
Conclusion
The DollyWay malware campaign highlights the growing risks of unpatched WordPress sites. With cybercriminals constantly refining their tactics, website owners must stay vigilant and implement strong security measures to protect their online presence. If you suspect your website has been compromised, take immediate action to clean and secure your site to prevent further damage.
Follow us on 
(Twitter) for real time updates and exclusive content.
Interesting Article : NAKIVO Backup Vulnerability Under Attack, CISA Issues Urgent Alert