Campaign Overview

A new Gambling Malware is hitting many normal websites by adding harmful JavaScript that pushes Chinese gambling sites. Around 150,000 websites have been affected so far. Security expert Himanshu Anand from c/side mentioned that although the attackers have updated their look a bit, they still use an iframe to show a full-screen overlay on a visitor’s browser. Current reports from PublicWWW indicate that more than 135,800 sites are now carrying the malicious code.

You might be interested in: New Phishing Service Exposed

How the Attack Works

The hackers inject JavaScript into sites, which takes over a visitor’s browser and redirects them to gambling pages. The redirects come from scripts hosted on a few domains—like “zuizhongyj[.]com”—which send out the main harmful payload. In another version of the attack, extra scripts and iframes are added to the page, imitating well-known betting sites such as Bet365 by using their official logos. This method covers the original website with a full-screen overlay made with CSS, so visitors only see the gambling ad.

Rising Trends in Online Threats

Anand noted that this method shows how attackers are constantly changing their tactics to reach more targets while hiding their true actions. These client-side attacks are becoming more frequent, with new cases reported almost every day.

The DollyWay Operation

At the same time, GoDaddy has revealed details about a long-running malware operation called DollyWay World Domination. Since 2016, this campaign has hit over 20,000 websites globally, and by February 2025, more than 10,000 WordPress sites have been compromised. Researcher Denis Sinegubko explained that the current version mainly targets WordPress sites by inserting redirect scripts that use a network of compromised nodes known as the Traffic Direction System (TDS). These scripts funnel visitors to scam pages via networks linked to VexTrio, one of the largest cybercriminal affiliate groups that use advanced DNS and traffic methods to spread malware worldwide.

How DollyWay Operates

The attack starts with a dynamically generated script added to the WordPress site, which eventually redirects visitors to links associated with VexTrio or LosPollos. Sometimes, ad networks like PropellerAds are used to profit from the redirected traffic. The malicious code is placed through PHP injections in active plugins, and the attackers also disable security plugins, remove unauthorized admin users, and steal legitimate admin credentials to maintain control.

Recent Changes and Impact

GoDaddy’s investigation shows that the DollyWay system uses a distributed network of compromised WordPress sites as TDS and command-and-control (C2) nodes, generating about 9–10 million page views each month. The harmful redirect links are sourced from the LosPollos network. Around November 2024, some of the C2/TDS servers were removed, with the script now fetching new redirect addresses from a Telegram channel called “trafficredirect.” This break with LosPollos marks an important change in the campaign. Although the attackers have quickly switched to other ways to earn money, these rapid changes have led to some outages, indicating they might be facing operational challenges.