A sophisticated malware campaign, active for nearly a decade, has compromised over 20,000 WordPress websites. Known as "DollyWay World Domination," this operation has been active since 2016. Recent findings by GoDaddy reveal that multiple threat campaigns, previously thought to be separate, are part of a larger cybercrime network orchestrated by VexTrio. This network uses traffic distribution systems (TDSs) and lookalike domains to spread malware and scams.

Unraveling the DollyWay Campaign

GoDaddy's research highlights the complexity of the DollyWay campaign, which primarily targets visitors of infected WordPress sites. The campaign uses injected redirect scripts and a distributed network of TDS nodes hosted on compromised websites. This sophisticated method involves cryptographically signed data transfers and the removal of competing malware.

Mechanics of the Attack

When users visit an infected site, they are redirected through a series of scam pages, including cryptocurrency and dating scams. Ultimately, users may end up on malware or phishing sites, or even legitimate app pages like Google Play. VexTrio profits from this hijacked traffic through affiliate ad revenue from networks such as AdsTerra and PropellorAds. Historically, the group has also deployed more aggressive payloads like ransomware and banking trojans.

  • Infection Scale: As of February 2025, over 10,000 unique WordPress sites are infected, generating millions of malicious script impressions monthly.
  • Indicators of Compromise: GoDaddy's blog provides detailed indicators to help identify compromised sites.

Defensive Measures and Recommendations

The tactics employed by VexTrio highlight the diverse strategies used by cybercriminals to monetize their activities. The integration of commercial ad networks into these schemes is a notable aspect of their operations. DollyWay's malware continuously reinfects WordPress pages, disabling security plugins and injecting fresh code, making it challenging to eradicate.

Steps for Site Administrators

Administrators suspecting compromise should consider temporarily disabling their site or plugins to clean infections. Key recommendations include:

  • Regular Updates: Keep WordPress core, themes, and plugins updated.
  • Security Practices: Implement strong admin passwords, use multifactor authentication, and deploy a Web Application Firewall (WAF).
  • Monitoring: Use tools to detect malicious code and remove unfamiliar themes and plugins.
The link has been copied!