{"id":24151,"date":"2025-06-03T20:31:45","date_gmt":"2025-06-03T16:31:45","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/dollyway-world-domination-infects-wordpress-websites\/24151\/"},"modified":"2025-06-03T20:31:45","modified_gmt":"2025-06-03T16:31:45","slug":"dollyway-world-domination-infects-wordpress-websites","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/dollyway-world-domination-infects-wordpress-websites\/24151\/","title":{"rendered":"DollyWay World Domination: attack on WordPress websites"},"content":{"rendered":"

Given that just under half of all websites in the world are powered by the WordPress content management system, it\u2019s no wonder cybercriminals are constantly looking for loopholes to exploit it. This past March, cybersecurity researchers at the hosting company GoDaddy described a campaign<\/a> that began in 2016 and has since compromised more than 20\u00a0000 WordPress websites worldwide.<\/p>\n

The campaign has been dubbed \u201cDollyWay World Domination\u201d after a line of code (define (\u2018DOLLY_WAY\u2019, \u2018World Domination\u2019)) found in the malware used in this campaign. As part of DollyWay, threat actors inject malicious scripts with various capabilities onto websites. Their main goal is to redirect users from legitimate websites to third-party pages. As of February 2025, experts had recorded over 10\u00a0000 infected WordPress websites worldwide.<\/p>\n

To compromise websites, malicious actors exploit vulnerabilities in WordPress plugins and themes. They start by injecting a harmless-looking script that raises no red flags with security systems performing static HTML code analysis. The script operates as a stealthy infiltrator \u2014 quietly downloading more dangerous code used for profiling victims, communicating with command-and-control servers, and ultimately redirecting visitors to infected sites. You can read the original research paper<\/a> for a detailed description of how these scripts work.<\/p>\n

Monetizing the malicious campaign<\/h2>\n

Redirect-links generated by DollyWay include an affiliate identifier \u2014 much like referral programs that bloggers often use to promote products or services. These identifiers allow websites to track where users are coming from. Bloggers typically earn a commission on purchases made by visitors who arrive through referral links. The DollyWay World Domination Campaign is monetized in much the same way, using the VexTrio and LosPollos affiliate programs.<\/p>\n

VexTrio has been called the \u201cUber of cybercrime\u201d<\/a>. Reportedly active since at least 2017, this service primarily acts as a broker for scam content, spyware, malware, pornography, and so on. It\u2019s VexTrio that redirects the traffic from DollyWay to scam sites. As noted above, the malware profiles its victims. Based on these profiles, users are then funneled to various types of websites, such as fake dating sites, crypto scams, or gambling pages.<\/p>\n

LosPollos<\/a> apparently specializes in selling traffic to legitimate services. Whenever DollyWay redirects traffic to a site promoted by LosPollos, the redirects always include the same LosPollos affiliate account identifier. DollyWay\u2019s partnership with LosPollos explains why, in some cases, redirects from infected sites lead users not to malicious pages, but to legitimate app listings on Google Play such as Tinder or TikTok.<\/p>\n

How DollyWay conceals itself on websites it has infected<\/h2>\n

Cybercriminals exercise great care to keep their malware from being detected and removed. For starters, the malicious code is injected into every active plugin. Removing it is no walk in the park, as DollyWay employs an advanced re-infection mechanism that triggers every time a page on the compromised site is accessed. If the malicious code isn\u2019t removed from all active plugins and snippets, loading any page on the site will result in re-infection.<\/p>\n

Detecting DollyWay may prove no simple task either \u2014 the malware is adept at hiding its presence on an infected site. To maintain access to the compromised site, the attackers create their own account with admin privileges, and DollyWay hides this account from the WordPress dashboard.<\/p>\n

In case their accounts are discovered, the attackers also hijack the credentials of legitimate administrators. To do this, DollyWay monitors everything entered into the site\u2019s admin login form and saves the data to a hidden file.<\/p>\n

The attackers also take steps to ensure their assets remain operational. Researchers found evidence of a script apparently used by the attackers to maintain infected sites. Specifically, it can update WordPress, install and update required components, and initiate the injection of malicious code.<\/p>\n

Experts also discovered a web shell that the attackers use, among other things, to update compromised sites and keep away rival malware. This goes to show that the attackers are keen to prevent other malware from hijacking traffic or setting off any security alarms that might alert the site owner.<\/p>\n

The experts believe that the maintenance script and web shell aren\u2019t deployed on every site infected by DollyWay. Maintaining such infrastructure across all 10\u00a0000 sites would be prohibitively resource-intensive. Chances are, the attackers only deploy these scripts on their most valuable assets.<\/p>\n

Protecting your corporate website<\/h2>\n

The sheer scale and longevity of the DollyWay World Domination campaign once again underscore the need for regular security audits of company websites. When it comes to WordPress sites, plugins and themes deserve particular attention \u2014 they\u2019ve repeatedly proven to be the most vulnerable parts of the platform\u2019s infrastructure.<\/p>\n

If you suspect your company\u2019s website has fallen victim to DollyWay, researchers recommend keeping a close eye on file creation and deletion events. Such activity can be an indicator of compromise, as some versions of DollyWay v3 perform file operations every time a page is loaded.<\/p>\n

Here is what you need to do if you come across signs of compromise.<\/p>\n