A sophisticated cybercrime operation known as DollyWay World Domination has infiltrated more than 20,000 WordPress websites globally since 2016, redirecting unsuspecting users to malicious destinations. This campaign, named after the code snippet `define(‘DOLLY_WAY’, ‘World Domination’)` found within the malware, continues to evolve with advanced evasion techniques that challenge traditional security measures.
Exploitation of WordPress Vulnerabilities
The DollyWay campaign primarily targets WordPress installations by exploiting vulnerabilities in plugins and themes. Given that WordPress powers nearly half of all websites worldwide, this platform presents a vast attack surface for cybercriminals. Security researchers at GoDaddy first documented this extensive operation in March 2025, revealing that threat actors have maintained persistent access to compromised sites for nearly a decade.
Multi-Stage Attack Methodology
The attack employs a multi-stage approach:
1. Initial Injection: The malware injects scripts that appear benign, allowing them to bypass static HTML code analysis.
2. Establishing Backdoors: These scripts function as digital trojans, creating persistent backdoors on the compromised sites.
3. Downloading Additional Payloads: The backdoors facilitate the download of additional malicious components designed for victim profiling, command-and-control communications, and traffic redirection operations.
The malware demonstrates remarkable persistence through an advanced re-infection mechanism that triggers whenever any page on the compromised website loads, making complete remediation exceptionally challenging.
Monetization Strategies
The operators of DollyWay have developed a complex monetization strategy leveraging two primary affiliate networks: VexTrio and LosPollos.
– VexTrio: Described by cybersecurity experts as the Uber of cybercrime, VexTrio serves as the primary traffic broker, directing victims to various scam websites, including fake dating platforms, cryptocurrency frauds, and illegal gambling operations based on detailed victim profiling data.
– LosPollos: This network adds legitimacy to some redirections, occasionally directing traffic to authentic applications like Tinder or TikTok on Google Play. This dual-track approach not only generates revenue through both legitimate and illegitimate channels but also helps obscure the malicious nature of the overall operation by mixing fraudulent redirects with genuine app promotions.
Advanced Evasion Techniques
DollyWay employs sophisticated concealment methods that significantly complicate detection and removal efforts:
– Code Injection Across Plugins: The malware strategically injects malicious code across all active plugins simultaneously, requiring comprehensive cleanup across multiple components to prevent re-infection.
– Unauthorized Administrator Accounts: It creates unauthorized administrator accounts with elevated privileges while hiding these accounts from the standard WordPress dashboard interface.
– Credential Harvesting: The campaign includes keylogger functionality that monitors administrative login forms, storing captured credentials in hidden files for future exploitation.
– Maintenance Scripts and Web Shells: Researchers have identified specialized maintenance scripts and web shells that enable remote management of infected infrastructure, including WordPress updates, component installations, and malware injection processes.
– Competitive Protection Mechanisms: The malware includes features designed to prevent rival malware from infiltrating already compromised sites, indicating a highly organized effort to maintain long-term control over infected assets.
Impact and Recommendations
As of February 2025, over 10,000 unique WordPress sites generate millions of impressions monthly from malicious scripts associated with DollyWay. To mitigate risks, administrators are advised to:
– Temporarily Disable Infected Sites: Prevent further harm by taking compromised sites offline during remediation.
– Update Plugins and Themes: Ensure all components are up-to-date to patch known vulnerabilities.
– Enforce Strong Passwords: Implement robust password policies to prevent unauthorized access.
– Use Multifactor Authentication: Add an extra layer of security to administrative accounts.
– Consider Web Application Firewalls (WAFs): Deploy WAFs to detect and block malicious traffic.
Users should remain cautious of unexpected redirects to dubious websites and report any suspicious activity to website administrators.
