A growing campaign has been able to compromise about 150, 000 legitimate websites to date by infiltrating them with malicious JavaScript injections to promote Chinese-language gambling platforms.
The risk actor has significantly updated their user interface, but he still relies on an frame injection to render a full-screen overlay in the visitor’s browser, according to c/side security analyst Himanshu Anand in a new analysis.
According to PublicWWW statistics, there are more than 135, 800 websites right now that have the Script load.
The business security firm a recent report that claimed the campaign involved infecting websites with malicious JavaScript that was meant to divert site visitors to gambling-related pages.
The redirections were discovered to be caused by JavaScript running on five different domains ( such as “zuizhongyj [ .] ). .com” ) that serve the primary payload responsible for the redirects ‘ operation.
Additionally, c/side reported that it had seen a different plan that uses standard logos and branding and uses scripts and iframe elements in HTML to impersonate legitimate betting sites like Bet365.
The end goal is to create a full-screen map using CSS that substitutes the exact website content by displaying the malignant playing landing page when visiting one of the sick sites.
Anand cited the constant adaptation of danger actors, which increased their approach, and added new layers of obfuscation. According to the report,” Client-side problems like these are on the rise, with more and more cases being discovered daily.”
GoDaddy made the publication as details of a long-running ransomware attack known as DollyWay World Domination, which has hacked over 20, 000 websites worldwide since 2016 were revealed. Over 10,000 distinct WordPress websites are victims of the plan as of February 2025.
Security researcher Denis Sinegubko that” the current iteration [ …] primarily targets visitors of infected WordPress sites via injected redirect scripts that employ a distributed network of Traffic Direction System ( TDS ) nodes hosted on compromised websites.
” These scripts point site visitors to various scam websites through traffic broker sites associated with , one of the largest known cybercriminal affiliate sites, which uses advanced DNS techniques, traffic distribution systems, and domain generation techniques to distribute malware and scams across global networks.”
The problems begin by injecting a dynamically generated text into the WordPress website, which ultimately directs visitors to LosPollos or VexTrio links. Additionally, it is said that the task used advertisement networks like to promote traffic from hacked websites.
PHP code is inserted into active plugins to facilitate destructive injections on the server-side, as well as steps to disable security plugins, remove harmful admin users, and siphon genuine administration credentials to accomplish their goals.
GoDaddy has since discovered that the DollyWay TDS uses a distributed network of affected WordPress places as TDS and C2 nodes, which average 9 to 10 million page impressions per month. Additionally, it has been discovered that the VexTrio redirect URLs were obtained from the visitors dealer network.
DollyWay users are alleged to have deleted several of their C2/TDS machines around November 2024, with the TDS text obtaining the redirect URLs from a Telegram channel with the name trafficredirect.
The breakdown of Dolly Way’s relationship with LosPollos represents a significant turning point in this ongoing campaign, Sinegubko observed. The providers have demonstrated remarkable adaptability by quickly switching to alternative traffic marketing strategies, but the operators ‘ rapid system changes and partial disruptions suggest there may be some operational impact.