An elaborate WordPress malware campaign that quietly ran for nearly a decade has infected more than 20,000 websites, according to a recent report by GoDaddy’s security research team. Known as “DollyWay World Domination”, this long-running operation has silently plagued WordPress site owners while feeding traffic to shady schemes and malware traps.
GoDaddy’s latest findings revealed that multiple cyberattack campaigns observed since 2016 are actually part of a much larger, coordinated effort controlled by VexTrio, a notorious cybercrime syndicate. This group operates a vast Traffic Distribution System (TDS) network designed to hijack web traffic, redirect users, and generate revenue through malware infections and fraudulent ads.
The campaign earned its ominous name from a specific line of code buried in its malicious script — “define(‘DOLLY_WAY’, ‘World Domination’);” — uncovered by GoDaddy’s senior malware analyst Denis Sinegubko.
While researchers had long believed these attacks were isolated, GoDaddy’s report connects the dots, presenting a disturbing picture of how a single cybercriminal network has managed to stay under the radar for years.
How the DollyWay Malware Hijacks WordPress Sites
At the heart of the DollyWay malware campaign is a sophisticated redirection scheme. Once a WordPress website is compromised, malicious scripts are injected, triggering a complex series of redirects every time a visitor clicks on the site.
Sinegubko explained that the latest version, DollyWay v3, leverages compromised websites as part of a distributed TDS network. This method makes it much harder for defenders to track or block the traffic flow since infected sites are constantly changing.
The malware also showcases advanced techniques — such as cryptographically signed data exchanges — to avoid detection. It actively hunts down and removes rival malware from infected sites to protect its foothold, proving how organized and resourceful the operation has become.
Once the redirection chain begins, unsuspecting users are sent through scam-filled pages pushing shady cryptocurrency deals, fake dating services, or malicious apps. Some even land on phishing sites or malware download pages, while others are tricked into installing rogue apps directly from platforms like Google Play.
Throughout this journey, VexTrio profits by monetizing hijacked traffic via well-known ad networks such as AdsTerra and PropellerAds. Interestingly, Sinegubko noted that VexTrio’s older campaigns were far more aggressive, delivering ransomware and banking trojans to steal sensitive data.
By February 2025, GoDaddy tracked more than 10,000 actively infected WordPress websites, generating nearly 10 million malicious page views monthly — exposing millions of users around the world to these hidden threats.
Why DollyWay Is So Hard to Eradicate
One of the most chilling aspects of the DollyWay campaign is its automatic reinfection mechanism. According to GoDaddy’s analysis, once a WordPress site is infected, every page load triggers the malware to reinsert itself — undoing any partial cleanup efforts almost instantly.
The malware disables security plugins, re-obfuscates its code, and even injects itself into WPCode snippets and other active plugins. This means that unless website owners completely wipe out every infected plugin and code snippet simultaneously, the malware keeps coming back.
Sinegubko warned that popular sites with heavy traffic face an even greater risk. “If someone visits the site before the cleanup is fully completed, the infection cycle restarts,” he explained. This vicious loop not only frustrates site owners but also makes recovery painstakingly difficult.
To break free, GoDaddy recommends either taking the site offline temporarily or disabling all plugins before attempting cleanup. Only a thorough and simultaneous removal of infected elements can prevent reinfection.
Protecting Your WordPress Site from DollyWay Malware
Speaking to Dark Reading, a GoDaddy Security Team spokesperson stressed the importance of staying vigilant. Any unexpected redirects to sketchy websites — especially those involving dating, sweepstakes, or crypto offers — could be a telltale sign of compromise.
Website administrators are urged to follow cybersecurity best practices, including:
- Regularly updating WordPress core, themes, and plugins
- Removing unused or unfamiliar themes and plugins
- Enforcing strong password policies and enabling multifactor authentication (MFA)
- Running malware detection tools to catch hidden infections
- Using a Web Application Firewall (WAF) for added protection
With the DollyWay malware campaign still active, these precautions are essential for keeping WordPress websites safe from sophisticated cybercriminals looking to hijack traffic and cash in.
