DollyWay is infecting WordPress sites | Kaspersky official blog

DollyWay is infecting WordPress sites | Kaspersky official blog

/in

Given that just under half of all websites in the world are powered by the WordPress content management system, it’s no wonder cybercriminals are constantly looking for loopholes to exploit it. This past March, cybersecurity researchers at the hosting company GoDaddy described a campaign that began in 2016 and has since compromised more than 20 000 WordPress websites worldwide.

The campaign has been dubbed “DollyWay World Domination” after a line of code (define (‘DOLLY_WAY’, ‘World Domination’)) found in the malware used in this campaign. As part of DollyWay, threat actors inject malicious scripts with various capabilities onto websites. Their main goal is to redirect users from legitimate websites to third-party pages. As of February 2025, experts had recorded over 10 000 infected WordPress websites worldwide.

To compromise websites, malicious actors exploit vulnerabilities in WordPress plugins and themes. They start by injecting a harmless-looking script that raises no red flags with security systems performing static HTML code analysis. The script operates as a stealthy infiltrator — quietly downloading more dangerous code used for profiling victims, communicating with command-and-control servers, and ultimately redirecting visitors to infected sites. You can read the original research paper for a detailed description of how these scripts work.

Monetizing the malicious campaign

Redirect-links generated by DollyWay include an affiliate identifier — much like referral programs that bloggers often use to promote products or services. These identifiers allow websites to track where users are coming from. Bloggers typically earn a commission on purchases made by visitors who arrive through referral links. The DollyWay World Domination Campaign is monetized in much the same way, using the VexTrio and LosPollos affiliate programs.

VexTrio has been called the “Uber of cybercrime”. Reportedly active since at least 2017, this service primarily acts as a broker for scam content, spyware, malware, pornography, and so on. It’s VexTrio that redirects the traffic from DollyWay to scam sites. As noted above, the malware profiles its victims. Based on these profiles, users are then funneled to various types of websites, such as fake dating sites, crypto scams, or gambling pages.

LosPollos apparently specializes in selling traffic to legitimate services. Whenever DollyWay redirects traffic to a site promoted by LosPollos, the redirects always include the same LosPollos affiliate account identifier. DollyWay’s partnership with LosPollos explains why, in some cases, redirects from infected sites lead users not to malicious pages, but to legitimate app listings on Google Play such as Tinder or TikTok.

How DollyWay conceals itself on websites it has infected

Cybercriminals exercise great care to keep their malware from being detected and removed. For starters, the malicious code is injected into every active plugin. Removing it is no walk in the park, as DollyWay employs an advanced re-infection mechanism that triggers every time a page on the compromised site is accessed. If the malicious code isn’t removed from all active plugins and snippets, loading any page on the site will result in re-infection.

Detecting DollyWay may prove no simple task either — the malware is adept at hiding its presence on an infected site. To maintain access to the compromised site, the attackers create their own account with admin privileges, and DollyWay hides this account from the WordPress dashboard.

In case their accounts are discovered, the attackers also hijack the credentials of legitimate administrators. To do this, DollyWay monitors everything entered into the site’s admin login form and saves the data to a hidden file.

The attackers also take steps to ensure their assets remain operational. Researchers found evidence of a script apparently used by the attackers to maintain infected sites. Specifically, it can update WordPress, install and update required components, and initiate the injection of malicious code.

Experts also discovered a web shell that the attackers use, among other things, to update compromised sites and keep away rival malware. This goes to show that the attackers are keen to prevent other malware from hijacking traffic or setting off any security alarms that might alert the site owner.

The experts believe that the maintenance script and web shell aren’t deployed on every site infected by DollyWay. Maintaining such infrastructure across all 10 000 sites would be prohibitively resource-intensive. Chances are, the attackers only deploy these scripts on their most valuable assets.

Protecting your corporate website

The sheer scale and longevity of the DollyWay World Domination campaign once again underscore the need for regular security audits of company websites. When it comes to WordPress sites, plugins and themes deserve particular attention — they’ve repeatedly proven to be the most vulnerable parts of the platform’s infrastructure.

If you suspect your company’s website has fallen victim to DollyWay, researchers recommend keeping a close eye on file creation and deletion events. Such activity can be an indicator of compromise, as some versions of DollyWay v3 perform file operations every time a page is loaded.

Here is what you need to do if you come across signs of compromise.

  • Temporarily take the affected site offline, redirecting all traffic to a static page. Or, at the very least, deactivate all plugins while you’re removing the malware.
  • Remove any suspicious plugins — but keep in mind that DollyWay knows how to hide them from the WordPress dashboard.
  • Delete any unrecognized administrator accounts — again, be aware that DollyWay can hide these too.
  • Change the passwords for all WordPress users, starting with anyone who has admin privileges.
  • Enable two-factor authentication for WordPress sign-in.
  • If the internal infosec team’s resources are insufficient, seek help from third-party incident response specialists.

Kaspersky official blog – ​Read More