A long-running malware operation known as DollyWay has been compromising WordPress sites since 2016, infecting over 20,000 websites worldwide.

The malware redirects unsuspecting visitors to malicious sites, including fake dating, gambling, crypto, and sweepstakes pages.

According to GoDaddy Security researcher Denis Sinegubko, the malware has evolved significantly. In its latest version, DollyWay v3, it functions as a large-scale scam redirection system. In the past, however, it has been linked to ransomware and banking trojans.


DollyWay exploits vulnerabilities in WordPress plugins and themes to infect websites. Once compromised, visitors are secretly funneled through a Traffic Direction System (TDS), which filters them based on their location, device type, and referrer data before sending them to affiliate scam networks like VexTrio and LosPollos. The malware even ensures attackers get paid for successful redirections by embedding affiliate tracking parameters.

DollyWay is designed for stealth and persistence, making removing it particularly difficult. It spreads across all active plugins, injecting obfuscated PHP code and using the WPCode plugin to hide malicious scripts. It automatically reinstalls itself with every page load, ensuring continuous infection. It also hides malicious admin accounts, making detection impossible without direct database inspection. The final redirections only trigger upon user interaction, such as clicking, which allows the malware to bypass passive security scans.

To defend against DollyWay and similar malware threats, website administrators should keep all WordPress plugins and themes updated, use security plugins to scan for and remove malicious scripts, manually inspect the database for suspicious admin accounts, and enable server-side security protections to block unauthorized script injections.

READ
WhatsApp Patches Zero-Click Vulnerability Exploited by Spyware

GoDaddy has released a list of indicators of compromise (IoCs) to help website owners detect and remove DollyWay infections. An upcoming report will reveal further details about the malware’s infrastructure and tactics.