Analysis Summary

A long-running malware campaign called 'DollyWay' has compromised over 20,000 WordPress sites since 2016, redirecting visitors to malicious websites. The campaign has evolved over the years, using advanced techniques to avoid detection, reinfect websites, and generate revenue.

According to a researcher, DollyWay operates as a large-scale scam redirection system in its latest version (v3). However, earlier versions distributed more dangerous malware, such as ransomware and banking trojans. Recent findings reveal that multiple malware campaigns previously thought to be separate are actually part of this single large-scale operation. The name 'DollyWay' comes from a specific code string found in the malware: define('DOLLY_WAY', 'World Domination').

DollyWay v3 infects vulnerable WordPress sites by exploiting known security flaws in plugins and themes. As of February 2025, the malware is responsible for 10 million fraudulent impressions per month, redirecting users to fake dating, gambling, cryptocurrency, and sweepstakes sites.

The infection process begins with a script injection that loads malicious JavaScript. The malware then collects data about visitors and selects three other infected sites to act as redirection nodes. The final redirection only happens when a user clicks on something, helping the malware evade detection by security tools that analyze page loads.

DollyWay is highly persistent, making it difficult to remove. It reinfects the website on every page load by spreading its malicious PHP code across all active plugins. It also installs and hides a copy of the WPCode plugin, which contains additional obfuscated malware. This plugin allows attackers to modify WordPress functionality without being visible in the admin panel.

To further hide its presence, DollyWay creates secret administrator accounts with random names, which can only be found through a database inspection.

Impact

• Unauthorized Access
• Financial Loss
• Security Bypass

Indicators of Compromise

Domain Name

• abstracts.cngsby.cfd
• ity.anoneth.fun
• admirable.brehmed.cfd
• adventure.lantial.cfd
• alignment.econd.cfd
• artistry.cngsby.sbs
• barometer.unroose.space
• breakfast.ffiftringg.sbs
• composure.pedancy.fun
• configure.crellar.cfd
• constructive.curvive.space
• constructive.lantial.us
• dalopt.participates.cfd
• discovered.secamondareeng.space
• expedient.eithert.cfd
• premiumservices.approviding.store
• keenram.anariding.site
• oldoak.spindexed.site
• workbench.cudwork.cfd
• vintage.brehmed.sbs
• tremendous.mcgonal.cfd
• transmit.chanism.cfd

Remediation

• Regularly update WordPress core, themes, and plugins to patch known vulnerabilities.
• Use a web application firewall (WAF) to block malicious traffic and exploit attempts.
• Scan WordPress sites frequently with security plugins or external scanners to detect infections.
• Remove any unknown or suspicious admin users by checking the WordPress database.
• Review installed plugins, especially hidden or unfamiliar ones, and remove any suspicious entries.
• Manually inspect and clean injected PHP or JavaScript code from affected plugins and themes.
• Disable file editing from the WordPress admin panel to prevent unauthorized changes.
• Restore the site from a clean backup if available, ensuring it is free from infection.
• Monitor server logs for unusual activity, such as unexpected script executions or file changes.
• Restrict plugin installation permissions to trusted administrators only.
• Implement strong, unique passwords for all admin accounts and enable two-factor authentication (2FA).
• Regularly check and clean the database for hidden malware entries or injected scripts.
• Use security monitoring tools to detect reinfections and prevent persistent malware.