{
	"id": "3c3de3d7-6dcc-4cae-8566-914e41198140",
	"created_at": "2026-04-06T00:21:24.259702Z",
	"updated_at": "2026-04-10T03:20:02.110941Z",
	"deleted_at": null,
	"sha1_hash": "718756a8fa3ac425693553d6ae60fcf744bc6f5b",
	"title": "Inside DollyWay’s C2 Infrastructure: Traffic Direction Systems and the LosPollos Connection",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3053187,
	"plain_text": "Inside DollyWay’s C2 Infrastructure: Traffic Direction Systems\r\nand the LosPollos Connection\r\nBy Denis Sinegubko\r\nPublished: 2025-03-25 · Archived: 2026-04-05 17:52:37 UTC\r\nKey findings \r\nAnalysis of DollyWay C2/TDS nodes reveals campaign reaches 9-10 million monthly page impressions\r\nacross approximately 10,000 compromised WordPress sites in the past year\r\nCampaign infrastructure relied heavily on LosPollos traffic broker network until November 2024\r\ndisruption \r\nSophisticated node architecture includes cryptographic verification and redundancy mechanisms to ensure\r\noperational resilience \r\nRecent disruption forced rapid transition to alternative traffic monetization methods, demonstrating the\r\noperation's adaptability \r\nIn our previous analysis of the DollyWay World Domination malware operation, we explored it’s scope and\r\nevolution over eight years. We also analyzed the most recent malware variant (DollyWay v3) and it’s sophisticated\r\ninfection mechanisms. This follow-up deep-dive examines the campaign's Command and Control (C2)\r\ninfrastructure and Traffic Direction System (TDS) nodes, focusing specifically on activities observed during 2024-\r\n2025 that reveal new insights into its operational scale and recent disruptions. \r\nOur research into compromised C2/TDS nodes has uncovered detailed statistics about the campaign's reach in the\r\npast year, including traffic volumes, WordPress version targeting, and monetization strategies. We've also\r\ndocumented significant changes in the operation's infrastructure following recent security industry revelations\r\nabout their traffic broker partner LosPollos.  \r\nC2/TDS Nodes \r\nThe DollyWay malware uses a small subset of compromised sites as C2/TDS nodes. We had a chance to clean\r\nsome of these nodes and explore how they work from the server side. \r\nThe node malware is very simple. It consists of one PHP script counts.php and two static files: data.txt and\r\n\u003chex32\u003e. They can all be found in the /wp-content/ directory of the infected sites as we can easily see in the node\r\nlists on any compromised site. \r\nThese files don’t reveal too much information about the malware operators. In addition, taking over the individual\r\nnodes will not result in campaign disruption because of its distributed nature with lots of verification steps,\r\nredundancy and fallback options available for most critical functions. On the other hand, it’s easy to turn any\r\nhttps://www.godaddy.com/resources/news/dollyway-malware-c2-tds\r\nPage 1 of 12\n\ncompromised site into a C2/TDS node. Probably any site that hadn’t been cleaned in over a year is a good\r\ncandidate — their owners definitely don’t pay much attention to security and integrity of their sites.  \r\nData.txt \r\nThe counts.php file is very simple. It updates the content of the data.txt file when it receives POST requests with\r\nthe following parameters: newcode, sign, data. \r\nBefore saving, it verifies that the data is properly signed (this helps to prevent anyone updating C2/TDS nodes\r\nwith invalid data). As we already discussed, data.txt contains the most current list of DollyWay nodes as well as\r\ncategory ids for older versions of this malware. Infected websites download this data.txt file once a day and it is\r\nimportant to keep it valid and up to date. \r\nDomain list \r\nAnother static file maintained by the counts.php is the list of VexTrio/LosPollos domains for every redirect\r\ncategory. It has a 32 character long hexadecimal string as a name, which represents the MD5 hash of the absolute\r\npath to the counts.php script. \r\nhttps://www.godaddy.com/resources/news/dollyway-malware-c2-tds\r\nPage 2 of 12\n\nEvery 10 minutes, this domain list is downloaded directly from the LosPollos API endpoint using the malware\r\noperator’s own key:  \r\nhxxps://domainapi.lospollos[.]com/actualdomain?key=ea6ff61a45e946c287ea5f121c4f2e4b\r\nHere’s a typical unencrypted response with VexTrio/LosPollos domains:\r\n{\r\n\"Dating\":[\"romancezone[.]one\"],\r\n\"Mainstream\":[\"topawardpicks[.]top\",\"yourspacegain[.]top\"],\r\n\"Crypto\":[\"coinsboostbonus[.]top\"],\r\n\"Gay Dating\":[\"hot-gays-quest[.]life\"],\r\n\"iGaming\":[\"your-bigprofit[.]top\"],\r\n\"Cams\":[\"myhot-cams[.]life\"],\r\n\"Dating-new\":[\"p9xpmrp.romancezone[.]one\"],\r\n\"Mainstream-new\":[\"p9xpmrp.topawardpicks[.]top\",\"p9xpmrp.yourspacegain[.]top\"],\r\n\"Crypto-new\":[\"p9xpmrp.coinsboostbonus[.]top\"],\r\n\"Gay Dating-new\":[\"p9xpmrp.hot-gays-quest[.]life\"],\r\n\"iGaming-new\":[\"p9xpmrp.your-bigprofit[.]top\"],\r\n\"Cams-new\":[\"p9xpmrp.myhot-cams[.]life\"]\r\n}\r\nTDS functionality \r\nThe main function of the counts.php script is to serve the JavaScript redirect code to infected website that request\r\nit via URLs like this:\r\nhttps://\u003cnode\u003e/wp-content/counts.php?cat=0\u0026t=\u003cencrypted-ref-domain\u003e\r\nBased on the requested category (\u0026cat) the script selects the domain name, user id and the category to generate a\r\nLosPollos “smart link”. \r\nhttps://www.godaddy.com/resources/news/dollyway-malware-c2-tds\r\nPage 3 of 12\n\nFor example, if the ?cat parameter is “0”, then the TDS will select the “Dating” category, the romancezone[.]one\r\ndomain and the “/?u=7mkpd0d\u0026o=ex3wmkx” parameters to form the following smart link: \r\nhxxps://romancezone[.]one/?u=7mkpd0d\u0026o=ex3wmkx\u0026t=\u003cencrypted-ref-domain\u003e\r\nSimilarly, for ?cat=1, we get the “Mainstream” category and the following smart link: \r\nhxxps://topawardpicks[.]top/?u=7mkpd0d\u0026o=ex5whk5\u0026t=\u003cencrypted-ref-demin\u003e\r\nThis link is then injected into the final JavaScript code, which is already familiar to us from the “client side”\r\nsection of our first DollyWay post. \r\nhttps://www.godaddy.com/resources/news/dollyway-malware-c2-tds\r\nPage 4 of 12\n\nDecember 2024: New counts.php version \r\nMid-November 2024, many threat actors started switching from LosPollos smart links to alternative redirect\r\ndestinations. DollyWay operators followed the suit and by the end of December 2024, they gradually upgraded the\r\ncounts.php script on most C2/TDS nodes. \r\nThe new version included new functionality: \r\n1. Instead of LosPollos API, the new redirect URLs are retrieved from the trafficredirect Telegram channel\r\n(it was created on November 28, 2023). If it’s not available, the fallback URL is: hxxps://pinkfels[.]shop/?\r\nt=json\u0026i=01e077f41c42710c07820d85fff21c63\u0026a=11341608982415'  (domain was created on November\r\n28, 2023) \r\n2. The new redirect URL is cached for 100 seconds in the /wp-content/4052e211471469076d33effdf1795b24 file (where 4052e211471469076d33effdf1795b24 is MD5\r\nhash for “11341608982415”) \r\n3. Constants in the generated redirect JavaScript are changed: \r\ntest → test01 \r\nclick4 → click01\r\nTDS usage statistics \r\nWhile taking over individual C2/TDS nodes can’t disrupt the malicious campaign, it allows us to peek into the\r\nstatistics of the whole operation by leveraging the website server logs. \r\nFrom the logs, we see the following: \r\nRequests to the TDS scripts (counts.php / count.php) from infected websites around the world \r\nRequests to the data.txt file; infected sites request this file once a day. \r\nReferrers: these requests come from compromised sites \r\nRequested categories (\u0026cat parameter of the counts.php script) \r\nWordPress versions of infected sites \r\nWe analyzed four months worth of logs on 3 different nodes that served both counts.php and count.php versions\r\nand found the following: \r\nEach individual node gets about 1.9 million TDS requests per month from about 1.3 million unique IP addresses.\r\nThese are requests from real visitors with browsers that execute JavaScript code. They are literally “one click\r\naway” from getting redirected to malicious sites (they get redirected if they click anywhere on a web page). \r\nGiven that currently there are 14 nodes in the list and three of them are randomly picked to load malicious code,\r\nthe chances that any specific node is chosen in roughly 20%.  \r\nThis allows us to extrapolate our numbers to the whole network of malicious TDS nodes:  \r\n9-10 million impressions of infected pages per month result in loading malicious scripts from the TDS. \r\nhttps://www.godaddy.com/resources/news/dollyway-malware-c2-tds\r\nPage 5 of 12\n\nRoughly 60% of them used the “Mainstream” category (?cat=1) for the redirect links and 40% the “Dating”\r\ncategory (?cat=0). \r\n Older DollyWay v2 s parameters (?s=7961591006225, ?s=7911586164333, ?s=8001593090904, ?\r\ns=7531575880767, ?s=8131599557550) are used equally, about 20% each. \r\nDuring October 2024 to February 2025, 10,043 unique domains were used as referrers in requests to DollyWay v2\r\nand v3 TDS scripts and the data.txt files. \r\nWe’ve also analyzed the WordPress versions of infected sites. Total we found 205 different WordPress versions\r\n(some as old as old as 3.6) with the following 10 most common versions (as of end of January 2025): \r\n1. 52.96%  WordPress/6.7.1  \r\n2. 5.73%  WordPress/6.6.2  \r\n3. 3.28%  WordPress/6.5.5  \r\n4. 2.67% WordPress/6.2.6 \r\n5. 2.37%  WordPress/6.4.5 \r\n6. 2.37% WordPress/5.3.18 \r\n7. 1.93% WordPress/6.1.7 \r\n8. 1.78%  WordPress/6.0.9 \r\n9. 1.62%  WordPress/4.9.26 \r\n10. 1.59%  WordPress/5.8.10 \r\nIn December and January, the usage data slightly decreased, averaging about 1.7 million requests from 1 million\r\nunique IP addresses on each node, with referrers from 7,094 and 6,815 infected domains respectively. This\r\ndecrease may be associated with temporary campaign disruption that happened because of switching the\r\nunderlying redirect provider. It started after November 19, 2024 and took about a month to migrate most\r\ncounts.php nodes to a new version. \r\nOverall, in the period of October 2024 - January 2025, we’ve observed 10,043 unique infected domains referring\r\nto count.php/counts.php scripts on DollyWay TDS nodes. \r\nVexTrio/LosPollos \r\nVexTrio is the name given by the Infoblox research team to one of the largest malicious traffic brokers\r\nspecializing in redirects to various types of scam sites (adult dating, fake sweepstakes, fake captchas, etc.)  \r\nMultiple prominent malware campaigns leverage VexTrio to monetize traffic from hacked sites, including Balada\r\nInjector, DNS TXT redirects, Sign1, DollyWay. ClearFake and some SocGholish affiliates are also known to\r\nredirect some traffic to VexTrio. \r\nWhen checking the code of the DollyWay TDS node script, we revealed that the VexTrio redirect URLs were\r\nactually obtained from the LosPollos API server. It turned out that there was a real ad network that managed traffic\r\nfrom all those malicious campaigns. \r\nhttps://www.godaddy.com/resources/news/dollyway-malware-c2-tds\r\nPage 6 of 12\n\nScreenshot of the LosPollos main page captured in October, 2024\r\nThe ad network \"LosPollos\" draws inspiration from the television series \"Breaking Bad,\" incorporating various\r\ndesign elements and references from the show. Their branding mirrors that of the fictional \"Los Pollos Hermanos\"\r\nrestaurant chain, which served as a money laundering operation in the series. The network's logo features the\r\nlikeness of the show's character who owned the restaurant, and their website includes several subtle nods to the\r\nseries, including a homepage hero image reminiscent of the show's distinctive laboratory scenes. \r\nNovember 2024: Disrupted DollyWay leaves LosPollos \r\nOn November 13th, 2024, Quirium researchers revealed their investigation connecting LosPollos to some other\r\ncloaking and disinformation services. That same day, Sucuri published a post about the latest iteration of\r\nDollyWay v3 malware. \r\n It may be a coincidence, but a week after that the DollyWay operators started to rapidly delete their C2/TDS\r\nservers. Their LosPollos API key also stopped working. \r\nAs a result, the remaining TDS nodes couldn’t retrieve LosPollos links and served invalid redirect code that\r\nmissed the domain name: \r\nwindow.open(\"hxxps:///?u=7mkpd0d\u0026o=ex5whk5\u0026t=\u003cencrypted-infected-domain\u003e\");\r\nhttps://www.godaddy.com/resources/news/dollyway-malware-c2-tds\r\nPage 7 of 12\n\nAs of December 4, 2024, only two TDS nodes were updated to use a different TDS. They redirected to: \r\nwindow.open(\"hxxps://tavux.participates[.]cfd/help/?11341608982415\u0026sub_id_1=\u003cencrypted-infected-domai\r\nNow, the new TDS script is configured to obtain redirect URL from the trafficredirect Telegram channel:\r\nPosts in the trafficredirect Telegram channel\r\nThis new /help/?11341608982415 TDS resembles the so-called DisposableTDS that DollyWay operation used\r\nbefore 2022. That TDS employed new disposable domains on .tk, .ml, .ga, .cf TLDs, along with the /index/?\r\n7961591006225 URL pattern. \r\nThe new TDS initially redirected traffic through tuto.tuggest[.]space, generating URLs with specific UTM\r\nparameters, such as:\r\nhxxps://tuto.tuggest[.]space/?utm_medium=9eb2bcdc89976429bc64127056a4a9d5d3a2b57a\u0026utm_campaign=cid:30\r\nThese redirects frequently lead to Amazon affiliate links using the \"mntzr-20\" parameter. URLScan analysis\r\nreveals that traffic to these affiliate links consistently originates from compromised websites or suspicious\r\ndomains. The “mntzr-20” affiliate id is also mentioned in a Cyjax whitepaper. Another alternative redirect\r\ndestination includes technical support scams.\r\nhttps://www.godaddy.com/resources/news/dollyway-malware-c2-tds\r\nPage 8 of 12\n\nAdditionally, other malware distribution campaigns previously associated with LosPollos have transitioned to\r\nalternative TDS platforms. For instance, the Balada Injector campaign's last known connection to a LosPollos link\r\n(u=bt1k60t) was recorded on November 19th, 2024. \r\nBy the end of December 2024, 9 of 14 nodes had been fully updated. Another two nodes returned broken\r\nJavaScript code that missed the domain name in the redirect URLs. Three nodes would return just errors. Since\r\nMarch 2025, the number of operational nodes has decreased to 7.\r\nConclusion \r\nThe disruption of DollyWay's relationship with LosPollos marks a significant turning point in this long-running\r\ncampaign. While the operators have demonstrated remarkable adaptability by quickly transitioning to alternative\r\ntraffic monetization methods, the rapid infrastructure changes and partial outages suggest some level of\r\noperational impact. \r\nHowever, given DollyWay's eight-year history of evolution and adaptation, this disruption likely represents just\r\nanother phase in the campaign's development rather than a permanent setback. The sophisticated distributed\r\narchitecture, with its redundant C2/TDS nodes and cryptographic verification systems, provides the operators with\r\na resilient foundation for continued operations. \r\nIndicators of compromise \r\nTDS node script URL pattern: \r\nhttps://\u003ccompromised-site\u003e/wp-content/counts.php?cat=[0|1]\u0026t=\u003cencrypted-ref-domain\u003e\r\nC2 update URL pattern: \r\nhttps://\u003ccompromised-site\u003e/wp-content/data.txt\r\nVexTrio/LosPollos integration: \r\nAffiliate ID before September 2021: u=h2xkd0x \r\nAffiliate ID after September 2021: u=7mkpd0d \r\nLosPollos API key: ea6ff61a45e946c287ea5f121c4f2e4b \r\nDomains and LosPollos categories: \r\nDating: romancezone[.]one \r\nMainstream: topawardpicks[.]top, yourspacegain[.]top \r\nCrypto: coinsboostbonus[.]top \r\nGay Dating: hot-gays-quest[.]life \r\niGaming: your-bigprofit.top \r\nCams: myhot-cams[.]life \r\nRedirects after November 20, 2024: \r\nhttps://www.godaddy.com/resources/news/dollyway-malware-c2-tds\r\nPage 9 of 12\n\nPattern:  \r\nhxxps://\u003csubdomain\u003e.\u003capex-domain\u003e/help/?11341608982415\u0026sub_id_1=\u003cencripted-compromised-domain\u003e\r\nExample:  \r\nhxxps://dalopt.participates[.]cfd/help/?11341608982415\u0026sub_id_1=[redacted]\r\nRedirect domains: \r\nabstracts.cngsby[.]cfd\r\nity.anoneth[.]fun\r\nadmirable.brehmed[.]cfd\r\nadventure.lantial[.]cfd\r\nalignment.econd[.]cfd\r\nartistry.cngsby[.]sbs\r\nbarometer.unroose[.]space\r\nbreakfast.ffiftringg[.]sbs\r\ncomposure.pedancy[.]fun\r\nconfigure.crellar[.]cfd\r\nconstructive.curvive[.]space\r\nconstructive.lantial[.]us\r\ndalopt.participates[.]cfd\r\ndiscovered.secamondareeng[.]space\r\nexpedient.eithert[.]cfd\r\nframework.chellor[.]cfd\r\nframework.reorget[.]cfd\r\nframework.retiont[.]space\r\nlandscape.chanism[.]sbs\r\nlandscape.goalked[.]cfd\r\nlandslide.postume[.]cfd\r\nmainframe.crellar[.]sbs\r\nmethodical.reorgedt[.]fun\r\nmomentous.debayon[.]sbs\r\noverload.threath[.]sbs\r\nprocedure.secreeng[.]space\r\nresonance.agained[.]cfd\r\nstreaming.threath[.]cfd\r\ntavux.participates[.]cfd\r\ntransmit.chanism[.]cfd\r\ntremendous.mcgonal[.]cfd\r\nvintage.brehmed[.]sbs\r\nhttps://www.godaddy.com/resources/news/dollyway-malware-c2-tds\r\nPage 10 of 12\n\nworkbench.cudwork[.]cfd\r\noldoak.spindexed[.]site\r\nkeenram.anariding[.]site\r\npremiumservices.approviding[.]store\r\npoiting.poiting[.]php.ua\r\nfastbird.freolopd[.]my.id\r\nbigwave.karina2ol[.]hweb.id\r\ndaylight.fewfwefwef[.]biz.id\r\nmadfox.fewfwefwef[.]hmy.id\r\nhotwind.garudaototo[.]my.id\r\nwetsea.kerapusta[.]my.id\r\nredmoon.meraoolipo[.]my.id\r\nredmoon.diopl55[.]my.id\r\ndiopl55.domikdoma[.]my.id\r\nkeenram.signeuf[.]shop\r\nCommented out redirect URL found in the latest counts.php script: \r\n22.mbvnsmrtlnk1[.]xyz/?secret=OvA4auMm\r\nC2 used by latest counts.php scripts to retrieve redirect URLs \r\nPrimary:\r\nhttps://t[.]me/s/trafficredirect\r\nFallback:\r\nhttps://pinkfels[.]shop/?t=json\u0026i=01e077f41c42710c07820d85fff21c63\u0026a=11341608982415\r\nUser Agents used by counts.php scripts to retrieve new redirect URLs : \r\nMozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0 \r\nMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)\r\nChrome/122.0.0.0 Safari/537.36 \r\nServer-side IoCs \r\nFiles used in C2/TDS nodes: \r\nwp-content/counts.php \r\nwp-content/count.php \r\nwp-content/data.txt \r\nhttps://www.godaddy.com/resources/news/dollyway-malware-c2-tds\r\nPage 11 of 12\n\nwp-content/4052e211471469076d33effdf1795b24 // md5('11341608982415') \r\nIP addresses used to maintain C2/TDS node: \r\n45.147.254.74 \r\n45.147.255.26 \r\nMalicious admin accounts: \r\nUsernames: Random hexadecimal strings (up to 32 characters) \r\nEmail pattern: \u003csame-as-username\u003e@[random-hex].com \r\nUsername  Email \r\n7591c62c3c443a75fbdf9fadfbe2802f  7591c62c3c443a75fbdf9fadfbe2802f@113c971f77f8.com \r\n36e21a1c8c  36e21a1c8c@d5b53904ee84dac8d41331f0b.com \r\n6fcb1f44c9b1772a0  6fcb1f44c9b1772a0@1a8001dc2c3607.com \r\n3cc40c79f2d7217139a8  3cc40c79f2d7217139a8@27d831561ab46a5244a82.com \r\nPublic key: \r\n-----BEGIN PUBLIC KEY-----\r\nMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKLN9azzu/i/HYvYc+0CW5DViGIuCJbz\r\n23skWsSTwkO6wSga7QJU+m0elAll3iGTFOSFzXChhlluOrW6+VVLXb8CAwEAAQ==\r\n-----END PUBLIC KEY-----\r\nRelated posts:\r\nDollyWay World Domination: Eight Years of Evolving Website Malware Campaigns \r\nDollyWay’s Eight-Year Evolution: From Master134 to Modern Malware Infrastructure\r\nSource: https://www.godaddy.com/resources/news/dollyway-malware-c2-tds\r\nhttps://www.godaddy.com/resources/news/dollyway-malware-c2-tds\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.godaddy.com/resources/news/dollyway-malware-c2-tds"
	],
	"report_names": [
		"dollyway-malware-c2-tds"
	],
	"threat_actors": [],
	"ts_created_at": 1775434884,
	"ts_updated_at": 1775791202,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/718756a8fa3ac425693553d6ae60fcf744bc6f5b.pdf",
		"text": "https://archive.orkl.eu/718756a8fa3ac425693553d6ae60fcf744bc6f5b.txt",
		"img": "https://archive.orkl.eu/718756a8fa3ac425693553d6ae60fcf744bc6f5b.jpg"
	}
}