Malware campaign 'DollyWay' breached 20,000 WordPress sites

A malware operation dubbed 'DollyWay' has been underway since 2016, compromising over 20,000 WordPress sites globally to redirect users to malicious sites. DollyWay v3 is an advanced redirection operation that targets vulnerable WordPress sites using n-day flaws on plugins and themes to compromise them. "GoDaddy Security researchers have uncovered evidence linking multiple malware campaigns into a single, long-running operation we've named 'DollyWay World Domination'," explains a recent report by Godaddy. As of February 2025, DollyWay generates 10 million fraudulent impressions per month by redirecting WordPress site visitors to fake dating, gambling, crypto, and sweepstakes sites. The third stage selects three random infected sites to serve as TDS nodes and then loads hidden JavaScript from one of them to perform the final redirection to VexTrio or LosPollos scam pages. The second stage collects visitor referrer data to help categorize the redirection traffic and then loads the TDS script that decides on the validity of the targets. Direct website visitors that have no referrer, are not bots (the script has a hardcoded list of 102 known bot user-agents), and are not logged-in WordPress users (including admins) are considered invalid and are not redirected. According to GoDaddy researcher Denis Sinegubko, DollyWay has been functioning as a large-scale scam redirection system in its latest version (v3). Bill Toulas Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks. "While previously thought to be separate campaigns, our research reveals these attacks share common infrastructure, code patterns, and monetization methods - all appearing to be connected to a single, sophisticated threat actor. It achieves this by spreading its PHP code across all active plugins and also adds a copy of the WPCode plugin (if not already installed) that contains obfuscated malware snippets. WPCode is a third-party plugin allowing admins to add small snippets of "code" that modify WordPress functionality without directly editing theme files or WordPress code. Cybercriminals commonly use malicious TDS systems to redirect users to phishing sites or malware downloads. It's worth noting that the final redirect only occurs when the visitor interacts with a page element (clicks), evading passive scanning tools that only examine page loads. As part of an attack, the hackers hide WPCode from the WordPress plugin list so administrators cannot see or delete it, making disinfection complicated. DollyWay also creates admin users named after random 32-character hex strings and keeps those accounts hidden in the admin panel. A Traffic Distribution System analyzes and redirects web traffic based on various aspects of a visitor, such as their location, device type, and referrer.

This Cyber News was published on www.bleepingcomputer.com. Publication date: Wed, 19 Mar 2025 23:15:05 +0000


Cyber News related to Malware campaign 'DollyWay' breached 20,000 WordPress sites