Skip to content

Malware campaign infecting 20,000 WordPress sites discovered

  • by
  • 3 min read

Security researchers have discovered a long-running malware campaign dubbed “DollyWay World Domination.” Over the past eight years, the campaign has compromised over 20,000 WordPress websites. It is run by VexTrio, a cybercrime network that uses traffic distribution systems and impersonates domains to spread malware and scam users. The campaign itself has been active since at least 2016.

Internet hosting service and domain registrar GoDaddy published a report detailing the entire campaign. Multiple cybersecurity researchers were tracking parts of the campaign,n believing them to be independent attacks. However, GoDaddy’s report claims that these independent campaigns are part of a larger operation run by VexTrio.

Targets are usually visitors of infected WordPress websites targeted via injected redirect scripts that use a network of traffic distribution system (TDS) nodes hosted on the compromised websites. When a user clicks on an infected website, DollyWay scripts spring into action and start a multistage redirection chain, forcing the user to go through a series of scam pages related to crypto or online dating before redirecting them to the final malware or phishing site.

This is an image of malware featured security

To make matters worse, VexTrio also monitors pages shown throughout the chain, earning affiliate ad revenue from platforms like AdsTerra and PropellorAds. As of February 2025, the researchers have spotted over 10,000 unique infected WordPress sites generating nearly 10 million impressions on web pages loaded with malicious scripts for millions of visitors. The IP addresses also change monthly, making tracking and shutting down the operation difficult.

DollyWay’s malware also reinfects each page using an automated mechanism every time it’s accessed. If a compromised website gets heavy traffic, it gets reinfected during the malware removal process. The malware can disable security plugins and extensions, hide itself, and then insert fresh malicious code into non-infected plugins—only to reinfect WPCode snippets every time a page is opened.

This constant movement of the malware makes it hard to clean a compromised website. If the site admin fails to remove the malware from all plugins and WPCode before a user refreshes any page, they’ll have to start over again. For site admins who believe their website is infected, researchers recommend taking the site down temporarily or disabling all plugins until the malware is safely removed.

In the News: Report claims Israeli spyware deployed on Italian journalists and activists

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

Related Reads

This is an image of data breach featured

Legends International suffers data breach affecting employees and venue visitors

This is an image of cyber security hacked breach

Freshly discovered Windows vulnerability already exploited in the wild

This is an image of court featured ss1

Indian consumer courts to accept complaints against WhatsApp

  • by
  • In News
This is an image of discord203947

Discord verifies age with ID and face scans for select users

This is an image of drone 1866742 1280

British soldiers are using radio waves to take down drones

This is an image of cyber security hacked hacking 3889

State-sponsored hackers are increasingly using ClickFix tactics for the first time

>