DollyWay Malware Campaign Exploits 20,000 WordPress Sites in Ongoing Cybercrime Operation

A nearly decade-long malware campaign, dubbed DollyWay World Domination, has compromised over 20,000 WordPress websites since 2016, according to a new report from GoDaddy. Researchers now believe multiple previously distinct cyber threats were part of a larger operation led by VexTrio, a vast cybercrime network leveraging Traffic Distribution Systems (TDS) and deceptive domains to spread malware and scams.

GoDaddy’s Denis Sinegubko uncovered the campaign’s connection through a recurring code snippet referencing DollyWay World Domination. The latest version of the malware (DollyWay v3) infects WordPress sites by injecting malicious redirect scripts that guide visitors through scam pages, ultimately leading to phishing sites, malware downloads, or affiliate advertising revenue streams. VexTrio has also historically distributed ransomware and banking trojans.

The malware is designed to be highly persistent, reinfecting sites automatically by disabling security plugins, obfuscating its code, and embedding itself into WordPress themes and plugins. Due to its self-replicating nature, removal is difficult unless administrators take their sites offline or disable all plugins before attempting cleanup.

To mitigate risks, experts recommend keeping WordPress installations updated, enforcing strong authentication measures, and using Web Application Firewalls (WAF) to detect and block malicious activity.