DollyWay Hack Targets Over 20,000 Sites, Redirecting Users to Malicious Websites

A massive malware campaign dubbed “DollyWay World Domination” that has compromised over 20,000 WordPress websites since its inception in 2016.

The campaign, named after a revealing code snippet within the malware itself (“define (‘DOLLY_WAY’, ‘World Domination’)”), primarily functions by redirecting legitimate website visitors to malicious third-party pages.

As of February 2025, experts have identified more than 10,000 WordPress sites worldwide that remain infected with this sophisticated malware, highlighting the persistent threat faced by the world’s most popular content management system.

The DollyWay campaign specifically targets vulnerabilities in WordPress plugins and themes, which have historically been the platform’s weakest security points.

The attack begins with the injection of a seemingly innocuous script designed to evade detection by security systems performing static HTML code analysis.

This initial script acts as a stealthy infiltrator, quietly downloading more dangerous payloads that perform multiple functions including victim profiling, command-and-control server communication, and traffic redirection.

The technical sophistication of DollyWay lies in its multi-stage approach, where the initial compromise appears benign while setting the stage for more damaging activities.

The malware systematically injects malicious code into every active plugin on the compromised site, creating multiple redundant infection points that make eradication particularly challenging.

Malicious Websites

What makes DollyWay particularly insidious is its comprehensive arsenal of anti-detection mechanisms.

The malware implements an advanced re-infection protocol that activates whenever any page on the compromised site is accessed, meaning partial removal efforts are futile.

If malicious code remains in even a single active plugin or snippet, the entire site will be re-infected upon the next page load.

To maintain unauthorized access, attackers create hidden administrator accounts that are deliberately concealed from the WordPress dashboard.

As a contingency measure, DollyWay also captures legitimate administrator credentials by monitoring login form inputs.

Researchers discovered maintenance scripts and web shells on high-value targets that allow attackers to update WordPress, install required components, and even defend against competing malware that might trigger security alerts or divert traffic.

Affiliate Exploitation

According to Report, the DollyWay campaign generates revenue through sophisticated traffic redirection schemes involving affiliate marketing programs.

The malware incorporates affiliate identifiers into redirects, leveraging partnerships with dubious services like VexTrio and LosPollos.

VexTrio, described as the “Uber of cybercrime,” functions as a broker for various illicit content, redirecting profiled victims to tailored scam destinations including fake dating sites, cryptocurrency scams, and gambling pages.

Interestingly, LosPollos appears to specialize in redirecting traffic to legitimate services like Tinder and TikTok on Google Play, suggesting a diversified monetization strategy that balances overtly malicious activities with seemingly legitimate redirects that still generate affiliate revenue for the attackers.

For website administrators who suspect compromise, experts recommend immediate site isolation, comprehensive plugin evaluation, removal of suspicious administrator accounts, credential rotation with two-factor authentication implementation, and potentially engaging third-party incident response specialists if internal resources prove insufficient.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates