DollyWay Malware: A Persistent Threat Exploiting WordPress Sites for Fraudulent Redirects

- Reported on March 19, he DollyWay malware operation has been actively compromising over 20,000 WordPress sites worldwide since 2016, evolving into an advanced scam redirection system. - Initially distributing ransomware and banking trojans, its latest version (v3) redirects visitors to fraudulent sites, generating 10 million monthly impressions. GoDaddy researchers linked multiple malware campaigns to *DollyWay*, identifying its use of *Traffic Direction Systems (TDS)* and affiliate networks like VexTrio and LosPollos for monetization. - Exploiting n-day flaws in WordPress plugins and themes, the malware persists through auto-reinfection, obfuscated PHP code, and hidden admin accounts. It evades detection by requiring user interaction for final redirection. GoDaddy has shared indicators of compromise to aid in defense and plans further reports on the threats evolving tactics.