ddos-admin 
Since 2016, the DollyWay malware campaign has compromised more than 20,000 WordPress websites worldwide, redirecting unsuspecting users to fraudulent destinations. Over the past nine years, the attack has undergone significant evolution, incorporating advanced evasion techniques, reinfection mechanisms, and monetization strategies.
According to GoDaddy, the latest iteration (v3) of DollyWay operates as a mass-scale fraudulent redirection system. However, in previous years, threat actors leveraged this infrastructure to disseminate ransomware and banking Trojans. What were once considered isolated attacks have now been identified as interrelated, sharing a unified infrastructure, similar code templates, and identical monetization tactics.
DollyWay v3 targets vulnerable WordPress websites by exploiting flaws in plugins and themes. As of February 2025, this malware campaign generates approximately 10 million fraudulent ad impressions per month, funneling visitors from compromised sites to fake dating platforms, gambling portals, cryptocurrency scams, and prize-draw schemes.
The attack is monetized through affiliate networks, utilizing a Traffic Direction System (TDS) that analyzes visitor attributes—such as geolocation, device type, and referral source—before directing them to tailored fraudulent landing pages.
The infection begins with the injection of a malicious script via the wp_enqueue_script function, initiating the second stage of the attack. The system then assesses traffic sources before engaging the TDS, which determines which users will be redirected.
Only visitors who meet specific criteria are targeted—those who are not bots (checked against a list of 102 known crawlers), not logged into WordPress, and arriving from external sources. Three randomly selected compromised websites, acting as TDS nodes, then load an obfuscated JavaScript payload that ultimately leads users to fraudulent partner sites.
DollyWay is an exceptionally persistent threat, automatically reinstating itself upon each site visit, making its removal particularly challenging. To achieve this, the malware injects malicious code into active WordPress plugins and, when necessary, installs WPCode, a legitimate plugin designed for managing code snippets. WPCode is stealthily integrated into the system, making it invisible to site administrators, who cannot detect or remove it through the WordPress dashboard.
Additionally, DollyWay creates hidden administrative accounts, randomly named using 32-character hexadecimal strings, which do not appear in the WordPress admin panel and can only be discovered through database analysis.
GoDaddy security researchers have published a list of Indicators of Compromise (IoCs) to help identify and neutralize DollyWay infections. Analysts continue to examine the malware’s architecture and uncover its latest operational tactics, as the campaign remains one of the most resilient and adaptive threats targeting WordPress environments.
Do Son 
