DollyWay Malware Targeting WordPress Sites for Eight Years

 

DollyWay Malware Targeting WordPress Sites

Over the past eight years, the DollyWay malware has infected more than 20,000 WordPress websites, redirecting unsuspecting visitors to scam pages. This sophisticated campaign, known as “DollyWay World Domination,” has evolved significantly since its emergence in 2016, utilizing compromised sites as both a Traffic Direction System (TDS) and Command and Control (C2) nodes.

Advanced Persistence Tactics

Now in its third iteration, DollyWay v3 employs highly advanced techniques to ensure long-term control over infected sites. These include cryptographically signed data transfers, multiple injection methods spanning files and databases, and self-replicating mechanisms that continuously reinfect sites. Notably, the malware even removes competing malware and updates WordPress installations to maintain its grip on compromised websites.

The infection process unfolds in four distinct stages, designed to bypass security tools and evade detection. Ultimately, it directs website visitors to fraudulent platforms, primarily through the VexTrio/LosPollos network—one of the most notorious cybercriminal operations.

Resilient Reinfection and Hidden Admin Accounts

One of the most alarming aspects of DollyWay is its ability to persist despite removal attempts. It injects itself into all active plugins and WPCode snippets, ensuring reinfection every time a WordPress page is accessed. This makes complete removal exceptionally difficult.

Additionally, the malware creates hidden administrator accounts with random hexadecimal usernames, stealing credentials from legitimate site admins. It also conceals the WPCode plugin from the WordPress dashboard to avoid detection, further complicating efforts to identify and eliminate the threat.

Long-Term Evolution and Growing Risks

GoDaddy researchers have linked DollyWay to several past malware campaigns, including Master134, Fake Browser Updates, and CountsTDS—suggesting a coordinated, long-term cybercriminal operation.

With vulnerabilities in WordPress plugins and themes doubling in 2023, the attack surface for threats like DollyWay continues to expand. Website administrators are urged to stay vigilant by updating WordPress and all plugins regularly, monitoring for suspicious admin accounts, and conducting frequent security scans to mitigate the risk of infection.