Image by WebFactory Ltd, from Unsplash
DollyWay Malware Scheme Infects Over 20,000 WordPress Sites
Reading time: 3 min
Updated on Mar 21, 2025
-
![Kiara Fabbri]()
-
![Sarah Frazier]()
Fact-Checked by Sarah Frazier Content Manager
GoDaddy Security researchers have uncovered a massive malware operation called “DollyWay World Domination” that has been quietly infecting over 20,000 websites since 2016.
In a rush? Here are the quick facts:
- Malware uses advanced tricks like automatic reinfection and hiding in plugins to stay undetected.
- Creates hidden admin accounts and steals real admin credentials for long-term access.
- Generates 10 million malicious page views monthly, earning attackers millions of dollars.
The campaign, named after a line of code found in the malware, uses hacked WordPress sites to trick visitors into clicking on scam pages, earning the attackers millions of dollars.
The operation has evolved over the years, starting in 2016 with campaigns like Master134 and Fake Browser Updates. The latest version, DollyWay v3, is highly advanced, using clever tricks to stay hidden.
For example, it can automatically re-infect websites, remove other malware, and even update WordPress to keep the site running smoothly while hiding its malicious activity.
Here’s how it works: When you visit an infected website, the malware secretly redirects you to scam pages, often related to dating, crypto, or gambling. These scams are part of a larger network run by cybercriminals called VexTrio. The malware is so sneaky that it avoids detection by ignoring bots, logged-in users, and even local visitors.
As of February 2025, over 10,000 WordPress sites are infected, generating around 10 million malicious page views every month. The malware is designed to stay hidden, making it hard for website owners to notice anything is wrong.
One of the most concerning features of DollyWay v3 is its ability to keep reinfecting websites. Every time someone visits an infected site, the malware checks to make sure it’s still in control. If it finds any security plugins, it disables them. It also hides malicious code inside legitimate plugins and WPCode snippets, making it even harder to detect and remove.
The attackers also create hidden admin accounts with random usernames and email addresses. These accounts let them access the site anytime, even if the original admin tries to remove them. In some cases, the malware even steals the real admin’s login details to maintain access.
To make matters worse, the malware uses advanced encryption to protect its code and ensure only the attackers can control it. It also uses a network of 14 infected websites, called TDS nodes, to manage the scam redirects. These nodes are updated daily to keep the operation running smoothly.
Website owners are urged to check their sites for signs of infection, such as unexpected redirects or strange admin accounts. Using strong security plugins and keeping WordPress updated can help protect against these kinds of attacks.
Previous Story
Latest articles 
Leave a Comment
Cancel