Let’s get one thing straight, folks—there’s a storm out there. A long-running, nasty, godforsaken malware campaign that’s been quietly ruining lives for the better part of eight years.
It’s called DollyWay, and it’s been hacking into WordPress sites like a pit bull with a vendetta, redirecting innocent web users to a smorgasbord of malicious hellholes. If you thought your WordPress site was safe, think again.
This is not your run-of-the-mill attack—it’s a complex, twisted operation that’s had its claws deep in the internet’s gut since 2016.
Over the past eight years, this infection has evolved from a simple scam into a multi-headed beast of redirection, re-infection, and straight-up profiteering. And the worst part? It’s stealthy. Too damn stealthy.
According to GoDaddy’s Denis Sinegubko, the latest iteration of DollyWay (version 3, for those keeping score) has become a massive redirection engine, funneling visitors to fake dating sites, gambling pages, shady crypto scams, and other dark corners of the web.
But it didn’t start there. Oh no. At first, this thing was slinging ransomware, banking trojans, and other malware that made your average hacker look like a kid playing with a toy gun.
A report from GoDaddy Security uncovers the grisly details of what’s being described as “DollyWay World Domination.” Hell, it’s not even a campaign anymore.
It’s a full-scale operation, with layers upon layers of malicious code, a ridiculous network of compromised sites, and a hell-bent criminal mastermind pulling the strings behind the scenes.
The whole operation is linked to one name: World Domination—as found in some of the malware’s defining code. There’s no sugar-coating it: this is cybercrime on a global scale.
The Redirection Horror Show
Here’s the deal—DollyWay is an advanced redirection scheme that specifically targets WordPress sites running outdated plugins or themes. A little bit of a backdoor magic trick, and boom—the site is compromised.
As of February 2025, the malware is responsible for generating a jaw-dropping 10 million fraudulent impressions every month.
And how does it make its money? Oh, it’s brilliant. Visitors are funneled through a Traffic Direction System (TDS)—think of it as a funnel, except instead of funneling them into useful websites, it’s pushing them into a digital hellscape full of scams.
VexTrio and LosPollos affiliate networks are the big players in this scheme, raking in cash for each redirect that turns into a click. The malware is even more insidious in its final step—it only triggers when a user interacts with a page element. That’s right, folks—no passive scanning tool is going to save you from this one.
Persistence Is the Name of the Game
DollyWay doesn’t just pack a punch once—it’s a relentless bastard that keeps coming back for more. It’s designed to auto-reinfect WordPress sites with every single page load.
And here’s how it does it: the malware hides itself in plugins, injects itself into every nook and cranny, and even goes so far as to create fake admin users with 32-character hex strings. These fake accounts are hidden so well that you need a database inspection just to uncover them.
It also sneaks in WPCode—an innocuous-looking plugin that lets site admins add code without touching the core files. It’s perfect for hiding malware. And when administrators think they’ve cleaned up, DollyWay reappears, silently reloading itself into the system.
The Long-Term Battle
It’s clear that DollyWay is here for the long haul. Its persistence, evolution, and ever-expanding footprint are a nightmare for website owners and administrators who are ill-prepared for such a sophisticated threat. It’s the kind of campaign that builds an empire out of chaos, one infected site at a time.
GoDaddy’s security researchers have shared indicators of compromise (IoCs) to help defend against this hellish threat, but make no mistake: DollyWay is a testament to the fact that cybercriminals are always evolving, always scheming, and always a few steps ahead. Keep your sites locked down, folks, because if you don’t, the next victim could be you.
The wild web waits for no one. And DollyWay? It’s just getting started.
