Malware Campaign ‘DollyWay’ Breaches 20,000 WordPress Sites

A sophisticated malware campaign known as ‘DollyWay’ has been actively exploiting WordPress websites since 2016, compromising more than 20,000 sites globally. Security researchers have identified that the malware’s primary goal is to redirect unsuspecting visitors to malicious websites, including fake dating, gambling, cryptocurrency, and sweepstakes platforms.  

The **DollyWay** malware infiltrates WordPress websites by exploiting vulnerabilities in outdated plugins and themes. It injects malicious scripts that redirect website visitors through a Traffic Direction System (TDS), filtering users based on various criteria such as referrer status, browser type, and user interaction. If deemed suitable, the user is then redirected to harmful third-party sites, often through affiliate networks like VexTrio and LosPollos.  

The redirection process includes multiple steps:  

1. Script Injection: The malware injects an initial script into the website, which loads a secondary malicious script.  

2. Data Collection: This secondary script gathers visitor data to determine if they are a potential target.  

3. Traffic Filtering: A TDS system evaluates the visitor and only redirects those who meet certain criteria. The final redirection occurs only when a visitor interacts with the infected site, making passive security scans.

Unlike conventional malware, DollyWay ensures it remains undetected and reinfects websites even after removal. Researchers have identified several key tactics used by the malware:  

The DollyWay malware campaign highlights the critical need for strong website security among WordPress users. Given the campaign’s longevity and evolving tactics, security professionals urge website owners to proactively protect their sites and stay vigilant against cyber threats.