Full Report
An ongoing campaign that infiltrates legitimate websites with malicious JavaScript injects to promote Chinese-language gambling platforms has ballooned to compromise approximately 150,000 sites to date. "The threat actor has slightly revamped their interface but is still relying on an iframe injection to display a full-screen overlay in the visitor's browser," c/side security analyst Himanshu
Analysis Summary
# Incident Report: Mass Website Hijacking for Gambling Promotion (DollyWay Campaign)
## Executive Summary
A large-scale, ongoing cybercriminal campaign has compromised an estimated 150,000 legitimate websites, primarily targeting WordPress installations. Attackers injected malicious JavaScript to hijack visitor browsers, redirecting users to Chinese-language gambling platforms, sometimes utilizing sophisticated redirection networks like VexTrio. While the campaign showed resilience and adaptability, infrastructure changes suggest some level of operational disruption occurred following pivots in monetization strategies.
## Incident Details
- Discovery Date: Ongoing; documented extensively through March 2025.
- Incident Date: Campaign has been running since at least 2016 (DollyWay).
- Affected Organization: Approximately 150,000 websites compromised to date, including over 10,000 unique WordPress sites as of February 2025 (DollyWay).
- Sector: Website/Hosting, E-commerce (Affected sites span various industries).
- Geography: Global.
## Timeline of Events
### Initial Access
- Date/Time: Long-running (DollyWay since 2016), with recent heightened activity in early 2025.
- Vector: Injection of malicious PHP code into active plugins on compromised WordPress sites.
- Details: Attackers gained server-side access to inject the infection scripts.
### Lateral Movement
- Details: Attackers disabled security plugins, deleted malicious admin users, and siphoned legitimate administrator credentials, likely to ensure persistence and continued access. The campaign also utilized a distributed network of compromised WordPress sites acting as Traffic Direction System (TDS) nodes.
### Data Exfiltration/Impact
- Impact: Redirection of site visitors. The main impact was forcing visitors to view fullscreen overlays promoting illegal gambling platforms, impersonating legitimate betting sites (e.g., Bet365) using logos and branding. C2/TDS servers were briefly disrupted around November 2024.
### Detection & Response
- Detection: Discovered through ongoing website security analysis and reporting by firms like c/side and GoDaddy.
- Response Actions: Not fully detailed, but the threat actors made rapid infrastructure changes, including moving C2/TDS servers and sourcing redirect URLs from a Telegram channel after disruptions related to the LosPollos traffic broker network.
## Attack Methodology
- Initial Access: Server-side PHP code injection into vulnerable plugins.
- Persistence: Siphoning legitimate admin credentials; disabling security measures.
- Privilege Escalation: Not explicitly detailed, assumed via credential theft or abuse of existing administrative access granted by successful plugin compromise.
- Defense Evasion: Obfuscation layers in injected scripts; deleting security plugins.
- Credential Access: Siphoning legitimate admin credentials.
- Discovery: Unknown, likely automated scanning for vulnerable WordPress installations/plugins.
- Lateral Movement: Utilizing compromised sites as part of a distributed Traffic Direction System (TDS).
- Collection: Targeting traffic/visitor data necessary for redirection schemes.
- Exfiltration: Indirectly monetizing traffic by redirecting users to scam/gambling pages.
- Impact: Full-screen browser hijacking via malicious JavaScript iframe injection leading to mandatory redirects.
## Impact Assessment
- Financial: Monetization occurred via traffic broker networks (like LosPollos) and potentially using ad networks (like PropellerAds). Specific organizational costs are not provided.
- Data Breach: No direct customer PII exfiltration was reported, but administrative credentials were stolen, risking further compromise.
- Operational: Significant disruption to the user experience for visitors of 150,000+ sites, severely damaging the reputation of the compromised web properties.
- Reputational: High, due to the widespread nature and the nature of the promoted content (gambling).
## Indicators of Compromise
- Network Indicators (Defanged):
- JavaScript hosting domains (e.g., `zuizhongyj[.]com`).
- Redirect URLs sourced from the LosPollos traffic broker network or Telegram channel `trafficredirect`.
- Connectivity to VexTrio-associated infrastructure.
- File Indicators: Malicious JavaScript payload injected via server-side PHP modification.
- Behavioral Indicators: Visitor browsers being forced to display full-screen CSS overlays resulting in redirection to gambling sites.
## Response Actions
- Containment: (Inferred) Security vendors urged patching and cleanup of infected sites. Threat actors responded by quickly changing C2 infrastructure.
- Eradication: (Inferred) Removal of malicious PHP script injections and disabling of C2/TDS nodes.
- Recovery: Compromised sites returned to normal functionality after cleanup, though the actors demonstrated high adaptability.
## Lessons Learned
- Client-side attacks, particularly involving injected JavaScript, remain highly effective and are on the rise.
- Threat actors continuously adapt their infrastructure (e.g., moving from broker networks like LosPollos to direct Telegram communication for redirect URLs) to maintain monetization despite infrastructure disruption.
## Recommendations
- Implement stringent Content Security Policies (CSP) to restrict inline scripts and external script sources where possible.
- Regularly audit and sanitize all active plugins and themes on WordPress installations, specifically checking for server-side PHP file modifications.
- Enhance monitoring for unusual modifications to core website files and the automatic disabling of security plugins.
- Review third-party dependencies (plugins/ads) that handle client-side rendering or script loading.