Since date, an ongoing campaign has surpassed 150, 000 websites in size due to harmful JavaScript injections being used to promote Chinese-language gambling platforms.
According to c/side security researcher Himanshu Anand, the danger actor has significantly updated their interface, but he still relies on an iframe injection to render a full-screen overlay in the visitor’s browser.
According to PublicWWW statistics, there are more than 135, 800 websites that contain the Script load as of writing.
The strategy involves infecting websites with malicious JavaScript that is intended to sabotage the user’s browser window and transfer site visitors to pages promoting gambling platforms, as the net security company next month.
The redirections were discovered to be caused by JavaScript running on five different domains ( such as “zuizhongyj [ .] ). .com” ) that serves the primary payload that performs the redirects.
C/Side reported that it had even seen a different plan that uses standard logos and branding and uses scripts and iframe elements in HTML to impersonate legitimate betting websites like Bet365.
The end goal is to create a full-screen map using CSS that substitutes the exact website content by displaying the malignant playing landing page when visiting one of the sick sites.
This strike demonstrates how threat actors continuously adapt, broaden their scope, and employ innovative forms of obfuscation, according to Anand. According to the report,” Client-side problems like these are on the rise, with more and more cases being discovered daily.”
GoDaddy made the publication as information of a long-running ransomware attack known as DollyWay World Domination, which has hacked over 20, 000 websites worldwide since 2016 were revealed. Over 10,000 special WordPress websites have fallen prey to the system as of February 2025.
Security researcher Denis Sinegubko that” the current iteration [ …] primarily targets visitors of infected WordPress sites via injected redirect scripts that employ a distributed network of Traffic Direction System ( TDS ) nodes hosted on compromised websites.”
” These scripts point site visitors to various scam websites through traffic broker sites involving , one of the largest known cybercriminal affiliate sites, which uses advanced DNS techniques, traffic distribution methods, and domain generation techniques to distribute malware and schemes across global systems.”
The problems begin by injecting a dynamically generated text into the WordPress website, which ultimately directs visitors to LosPollos or VexTrio links. Additionally, it is said that the task used advertisement networks like to promote traffic from hacked websites.
PHP code is injected into active plugins to facilitate harmful injections on the server-side, as well as steps to disable security plugins, remove harmful admin users, and steal legitimate admin credentials to accomplish their goals.
GoDaddy has since discovered that the DollyWay TDS uses a distributed network of affected WordPress places as TDS and C2 nodes, which average 9 to 10 million page impressions per month. Additionally, it has been discovered that the VexTrio transfer Websites were obtained from the traffic dealer network.
DollyWay users are alleged to have deleted several of their C2/TDS machines around November 2024, with the TDS text obtaining the redirect URLs from a Telegram channel with the name trafficredirect.
Sinegubko that the breakdown of Dolly Way’s connection with LosPollos represents a significant turning point in this ongoing battle. The operators have demonstrated amazing adaptability by immediately switching to alternative traffic monetization strategies, but the sudden changes in infrastructure and incomplete outages suggest there may be some operational impact.