On condition that slightly below half of all web sites on the planet are powered by the WordPress content material administration system, it’s no surprise cybercriminals are continually in search of loopholes to use it. This previous March, cybersecurity researchers on the internet hosting firm GoDaddy described a marketing campaign that started in 2016 and has since compromised greater than 20 000 WordPress web sites worldwide.
The marketing campaign has been dubbed “DollyWay World Domination” after a line of code (outline (‘DOLLY_WAY’, ‘World Domination’)) discovered within the malware used on this marketing campaign. As a part of DollyWay, risk actors inject malicious scripts with varied capabilities onto web sites. Their primary objective is to redirect customers from official web sites to third-party pages. As of February 2025, specialists had recorded over 10 000 contaminated WordPress web sites worldwide.
To compromise web sites, malicious actors exploit vulnerabilities in WordPress plugins and themes. They begin by injecting a harmless-looking script that raises no purple flags with safety techniques performing static HTML code evaluation. The script operates as a stealthy infiltrator — quietly downloading extra harmful code used for profiling victims, speaking with command-and-control servers, and in the end redirecting guests to contaminated websites. You may learn the authentic analysis paper for an in depth description of how these scripts work.
Monetizing the malicious marketing campaign
Redirect-links generated by DollyWay embrace an affiliate identifier — very similar to referral applications that bloggers typically use to advertise services or products. These identifiers permit web sites to trace the place customers are coming from. Bloggers usually earn a fee on purchases made by guests who arrive via referral hyperlinks. The DollyWay World Domination Marketing campaign is monetized in a lot the identical means, utilizing the VexTrio and LosPollos affiliate applications.
VexTrio has been referred to as the “Uber of cybercrime”. Reportedly lively since not less than 2017, this service primarily acts as a dealer for rip-off content material, adware, malware, pornography, and so forth. It’s VexTrio that redirects the site visitors from DollyWay to rip-off websites. As famous above, the malware profiles its victims. Primarily based on these profiles, customers are then funneled to numerous varieties of web sites, comparable to faux relationship websites, crypto scams, or playing pages.
LosPollos apparently makes a speciality of promoting site visitors to official companies. Every time DollyWay redirects site visitors to a web site promoted by LosPollos, the redirects at all times embrace the identical LosPollos affiliate account identifier. DollyWay’s partnership with LosPollos explains why, in some instances, redirects from contaminated websites lead customers to not malicious pages, however to official app listings on Google Play comparable to Tinder or TikTok.
How DollyWay conceals itself on web sites it has contaminated
Cybercriminals train nice care to maintain their malware from being detected and eliminated. For starters, the malicious code is injected into each lively plugin. Eradicating it’s no stroll within the park, as DollyWay employs a sophisticated re-infection mechanism that triggers each time a web page on the compromised web site is accessed. If the malicious code isn’t faraway from all lively plugins and snippets, loading any web page on the positioning will lead to re-infection.
Detecting DollyWay might show no easy activity both — the malware is adept at hiding its presence on an contaminated web site. To take care of entry to the compromised web site, the attackers create their very own account with admin privileges, and DollyWay hides this account from the WordPress dashboard.
In case their accounts are found, the attackers additionally hijack the credentials of official directors. To do that, DollyWay screens every part entered into the positioning’s admin login kind and saves the info to a hidden file.
The attackers additionally take steps to make sure their belongings stay operational. Researchers discovered proof of a script apparently utilized by the attackers to keep up contaminated websites. Particularly, it may replace WordPress, set up and replace required parts, and provoke the injection of malicious code.
Consultants additionally found an internet shell that the attackers use, amongst different issues, to replace compromised websites and maintain away rival malware. This goes to indicate that the attackers are eager to stop different malware from hijacking site visitors or setting off any safety alarms that may alert the positioning proprietor.
The specialists imagine that the upkeep script and net shell aren’t deployed on each web site contaminated by DollyWay. Sustaining such infrastructure throughout all 10 000 websites could be prohibitively resource-intensive. Chances are high, the attackers solely deploy these scripts on their most respected belongings.
Defending your company web site
The sheer scale and longevity of the DollyWay World Domination marketing campaign as soon as once more underscore the necessity for normal safety audits of firm web sites. With regards to WordPress websites, plugins and themes deserve specific consideration — they’ve repeatedly confirmed to be essentially the most weak components of the platform’s infrastructure.
In the event you suspect your organization’s web site has fallen sufferer to DollyWay, researchers suggest conserving a detailed eye on file creation and deletion occasions. Such exercise might be an indicator of compromise, as some variations of DollyWay v3 carry out file operations each time a web page is loaded.
Here’s what you should do in case you come throughout indicators of compromise.
- Quickly take the affected web site offline, redirecting all site visitors to a static web page. Or, on the very least, deactivate all plugins when you’re eradicating the malware.
- Take away any suspicious plugins — however remember that DollyWay is aware of learn how to disguise them from the WordPress dashboard.
- Delete any unrecognized administrator accounts — once more, bear in mind that DollyWay can disguise these too.
- Change the passwords for all WordPress customers, beginning with anybody who has admin privileges.
- Allow two-factor authentication for WordPress sign-in.
- If the interior infosec group’s assets are inadequate, search assist from third-party incident response specialists.
