Since 2016, the “DollyWay World Domination” campaign has quietly compromised more than 20,000 WordPress websites worldwide, exploiting vulnerabilities in plugins and themes to redirect visitors to malicious destinations.
The operation’s name comes from a telltale code string found in infected sites:
phpdefine('DOLLY_WAY', 'World Domination');
DollyWay’s infection chain is highly sophisticated, employing a four-stage JavaScript and PHP injection process to evade detection and ensure persistence.
The initial compromise typically occurs via vulnerable plugins or themes.
Attackers inject a script using WordPress wp_enqueue_script function:
phpwp_enqueue_script('jquery');
wp_enqueue_script('dollyway', '/?&ver=" id="-js">');
This script loads a dynamically generated payload containing a unique hexadecimal identifier (often an MD5 hash), which helps track and manage infections.
The next stage collects referrer data and filters out bots and logged-in users, ensuring only real visitors are targeted.
The final payload, often loaded from a path like /wp-content/counts.php?cat=&t=, redirects users through a network of Traffic Direction System (TDS) nodes, ultimately leading them to scam sites.
Table 1: DollyWay Infection Chain Stages
| Stage | Technical Detail | Purpose |
|---|---|---|
| Stage 1 | Injection via wp_enqueue_script with unique hex ID |
Initial foothold, evades static analysis |
| Stage 2 | Dynamic script loads, referrer/user-agent filtering | Gathers data, filters bots/admins |
| Stage 3 | TDS node selection, hidden JavaScript redirection | Redirects to scam/affiliate sites |
| Stage 4 | Persistent PHP/JS code in plugins and WPCode snippets | Ensures reinfection, disables security |
DollyWay’s persistence is formidable.
Malicious PHP code is injected into every active plugin and WPCode snippet, with code obfuscated and randomized on every page load.
It disables popular security plugins, hides its presence, and reinfects sites automatically if any trace remains.
Affiliate Networks and Traffic Brokering
DollyWay’s primary goal is monetization through traffic redirection.
The malware embeds affiliate tracking parameters in its redirect URLs, ensuring payment for every successful redirection.
The operation leverages two major affiliate networks:
- VexTrio: Dubbed the “Uber of cybercrime,” VexTrio acts as a broker for scam content, spyware, and malware, redirecting users to fraudulent sites based on their profile attributes (geolocation, device, etc.).
- It operates a massive TDS infrastructure, partnering with over 60 affiliates and managing more than 70,000 domains.
- LosPollos: This network specializes in selling traffic to both scam and legitimate services. DollyWay’s redirects often include a LosPollos affiliate ID, sometimes leading users to real app listings like Tinder or TikTok.
The table below summarizes the affiliate monetization flow:
| Network | Role | Example Redirects | Revenue Model |
|---|---|---|---|
| VexTrio | Scam traffic broker, TDS operator | Dating scams, fake sweepstakes | Pay-per-redirect |
| LosPollos | Traffic reseller, ad network | App stores, mainstream sites | Affiliate commissions |
Stealth, Persistence, and Defense:
DollyWay’s stealth capabilities are central to its longevity. The malware:
- Injects code into every active plugin and WPCode snippet, re-obfuscating and reinfecting on every page load.
- Disables or removes competing malware and security plugins to maintain exclusive control.
- Creates hidden administrator accounts and hijacks legitimate admin credentials by logging login form entries to hidden files.
- Uses maintenance scripts and web shells to update WordPress, install components, and block rival malware.
Detection is challenging because DollyWay hides both its code and admin accounts from the WordPress dashboard.
Removal is only effective if all infected plugins and snippets are cleaned simultaneously and the site is taken offline to prevent reinfection.
Recommended Defense Steps:
- Temporarily take the site offline or disable all plugins during cleanup.
- Remove suspicious plugins and hidden admin accounts.
- Change all user passwords and enable two-factor authentication.
- Monitor file creation/deletion events for signs of compromise.
- Engage third-party incident response if in-house resources are insufficient.
DollyWay’s eight-year campaign underscores the persistent risk posed by insecure WordPress plugins and themes.
With advanced evasion, automatic reinfection, and lucrative affiliate partnerships, DollyWay remains a major threat to the global website ecosystem.
Regular security audits, prompt patching, and vigilant monitoring are essential for defense.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!.
Source link
