In the space of eight years, the so-called DollyWay malware has managed to infect more than 20,000 WordPress sites. Affected targets redirect internet visitors to scam sites. It forms the basis for DollyWay’s outspoken desire for ‘world domination’.
The malware campaign, dubbed “DollyWay World Domination” by a GoDaddy research team due to a string it leaves behind, has been active since 2016. It has not been idle in the eight years it has been active and is in its third iteration. DollyWay in the year 2025 uses a network of compromised WordPress sites that function as a Traffic Direction System (TDS) and Command and Control (C2) nodes.
Advanced techniques for persistence
DollyWay v3 appears to be very advanced. The malware uses cryptographically signed data transfers, various injection methods spread across files and databases, and automatic reinfection mechanisms. Together, this forms an impressive feature set that most malware only partially contains. It is striking that the attackers also remove actively competing malware. Moreover, it even carries out WordPress updates to maintain control over the infected sites. These Darwinistic traits make it even more difficult for victims to realize that their site has been compromised, as many signs of other infections are erased.
The malware’s injection process works in four steps, which tries to circumvent detection by security tools. The ultimate goal is to redirect visitors of infected websites to scam pages, mainly through the VexTrio/LosPollos network, one of the largest known cybercriminal networks.
Persistent reinfection and hidden administrators
One of the most worrying aspects of DollyWay is its advanced reinfection mechanism. The malware injects itself into all active plugins and as WPCode snippets, and carries out a reinfection procedure every time a WordPress page is opened. This makes it extremely difficult to remove the malware completely, even after it has been detected.
In addition, the malware creates hidden administrator accounts with random hexadecimal usernames and collects login credentials from legitimate administrators. The attackers also hide the presence of the WPCode plugin in the WordPress dashboard to avoid detection.
These techniques make DollyWay an extremely persistent threat to WordPress sites, comparable to previous large-scale attacks on the popular CMS platform. Earlier this year, Belgian security specialist C/side warned of another large-scale malware attack that exploited outdated WordPress versions and plugins.
Long-term evolution
The GoDaddy researchers have been able to link several malware campaigns that were previously considered separate, including Master134, Fake Browser Updates and CountsTDS. These all appear to be part of the same operation that has been active for eight years.
DollyWay knows how to take advantage of a large attack surface. Research by WordFence already showed last year that the number of vulnerabilities in plugins and themes for WordPress doubled in 2023. So the numbers are going in the wrong direction for the defenders.
Website administrators are advised, as always with such infection campaigns, to keep WordPress and all plugins up to date. They should also check suspicious administrator accounts and perform regular security scans to prevent such malware infections.