Cloud Solutions

Hola Browser for Windows Compromised to Deliver Monero Cryptominer via Supply Chain Attack

Mohammad Irfan Aslam
Mohammad Irfan Aslam 10 hours ago • 7 min read
Hola Browser Windows cryptominer supply chain attack malware

The Windows version of Hola Browser was compromised in a supply chain attack discovered in early June 2026, with attackers quietly injecting an undeclared executable into the browser’s official installation pipeline. The file — identified by researchers as an XMRig-based Monero cryptocurrency miner — was bundled alongside the legitimate Hola Browser installer and dropped silently onto users’ systems. The compromise was uncovered not by Hola’s internal security monitoring catching it in time, but by Sophos X-Ops researchers during routine certification testing through the AppEsteem Windows Certified Application program. Hola’s CEO has since acknowledged the incident, and independent forensic firm Sygnia has confirmed it as a supply chain compromise affecting approximately 0.1% of users.

What is Hola Browser?

Hola is an Israeli company best known for Hola VPN — a freemium service that allows users to bypass geographic content restrictions by routing traffic through other users’ devices or paid proxy infrastructure. The company’s commercial arm, formerly known as Luminati Networks and now rebranded as Bright Data, operates one of the world’s largest proxy networks. Hola Browser is a Chromium-based browser that integrates VPN and proxy functionality directly into the browsing experience, allowing users to switch between virtual locations without needing a separate VPN application. The browser is used by millions of users worldwide, particularly in regions where geographic content blocking is common.

Hola and its products have attracted controversy in the past due to opaque traffic-handling practices — critics have raised concerns about the use of user bandwidth in the peer-to-peer proxy model without sufficiently clear disclosure. This background gives the cryptominer incident additional weight: it is not the first time Hola’s handling of users’ computing resources has raised questions.

How the Attack Was Discovered

The compromise came to light through AppEsteem — an AMTSO-certified organization founded in 2016 that runs periodic validation tests to confirm that certified software matches its declared and approved installation footprint. AppEsteem’s process essentially creates a verified fingerprint of what a certified installer is supposed to do and contain, and then periodically re-tests the software against that baseline to detect changes.

During a routine certification check of Hola Browser version 1.251.91.0, Sophos X-Ops researchers detected an unexpected executable present in the installation — a file named me.exe — sitting inside the browser’s installation directory at C:\Program Files\Hola. The file was not part of the browser’s declared software package and had not been present in the previously certified version. Its presence triggered an immediate investigation.

Technical Analysis: What me.exe Does

Forensic analysis of me.exe revealed it to be based on XMRig — a widely-used, open-source cryptocurrency mining tool originally designed for legitimate use but frequently weaponized in malware campaigns due to its efficiency at mining Monero (XMR) and its open availability. Sophos classified the malicious binary as Troj/GoMiner-B, with the SHA256 hash e3541caf708c075f0bb22fc68b03acd8457fea7cf0732ea935b1eb016d1c7721.

When executed with administrative rights, me.exe behaves as follows:

  • Copies itself to a new path within the Hola directory to establish a persistent location
  • Registers itself as a Windows service named hola_monitor_svc — a name deliberately designed to appear as a legitimate Hola monitoring component to casual inspection
  • Begins mining Monero (XMR) using the victim machine’s CPU resources, sending proceeds to the attacker’s wallet
  • Runs silently in the background with no visible user interface, detectable primarily through elevated CPU usage and elevated power consumption

The use of a service name closely mimicking a legitimate Hola component reflects deliberate obfuscation — an attacker who understood the Hola software ecosystem designed the persistence mechanism specifically to blend in. This level of specificity suggests an attacker with inside knowledge of Hola’s software architecture, or who had conducted significant prior reconnaissance on the installation.

Scope and Impact

Hola CEO Avi Raz Cohen confirmed the incident and stated that Hola’s own internal monitoring had also flagged the anomaly — though this detection came after AppEsteem’s external discovery rather than before it. Independent cybersecurity firm Sygnia was engaged to conduct a thorough forensic review. Sygnia’s findings confirmed the supply chain compromise, with the incident assessed as affecting approximately 0.1% of Hola Browser’s user base. Crucially, Sygnia’s investigation found no evidence that any user data was accessed or exfiltrated — the miner’s purpose was exclusively to use victims’ CPU resources for Monero mining, not to steal personal information or credentials.

The 0.1% figure may sound small, but given Hola’s reported user base of millions, it potentially represents tens of thousands of affected Windows installations. Users who installed or updated Hola Browser during the compromised version’s availability window and whose machines meet the administrative privilege conditions for me.exe to execute should assume they were affected.

Supply Chain Attacks: A Growing Pattern

The Hola Browser incident is part of a documented and accelerating pattern of software supply chain attacks — where attackers compromise the distribution pipeline of legitimate software to deliver malicious payloads to users who trust the official installer. The technique is particularly effective because users receive the malware through a trusted source (the official installer from the legitimate vendor’s website) and because security tools that whitelist known-good software may not flag the compromise until the miner or other payload is behaviorally detected.

Similar supply chain compromises in recent years have affected npm packages, browser extensions, and popular software installers across multiple platforms. This incident echoes the pattern seen in the VS Code extension supply chain attacks documented in the Kali Linux 2026.1 release notes, where a malicious Nx Console extension was available on the Visual Studio Marketplace for 17 minutes before removal. Understanding how to proactively identify supply chain risks has become a critical component of enterprise security strategy.

What Affected Users Should Do

  • Check for hola_monitor_svc in Windows Services. Open Services (services.msc) and look for a service named hola_monitor_svc. If present, stop and disable it immediately before removing it.
  • Scan with updated antivirus software. Sophos and other major vendors have updated their signatures to detect Troj/GoMiner-B. Run a full system scan with the latest definitions.
  • Remove and reinstall Hola Browser. Uninstall the affected version completely, verify the malicious service is gone, and only reinstall from the official Hola website after Hola confirms the pipeline has been secured and a clean installer is available.
  • Monitor CPU usage. Cryptominers typically cause sustained high CPU utilization even when the browser is not actively in use. If your machine has been running unusually hot or slow, check Task Manager for unexpected processes.
  • Reconsider Hola VPN’s traffic-handling model. Separately from this incident, users should be aware that Hola VPN routes traffic through other users’ devices — a model with privacy and legal implications distinct from traditional VPN services.

Conclusion

The Hola Browser cryptominer incident is a textbook supply chain attack: a trusted distribution pipeline compromised to deliver malicious code to users who had no reason to suspect anything was wrong. AppEsteem’s certification testing process caught the compromise and prevented it from spreading more widely — a demonstration of the value of independent, ongoing validation of certified software. Hola’s engagement of Sygnia for forensic investigation and the CEO’s public acknowledgment represent appropriate incident response. The incident is a reminder that software supply chain integrity requires cryptographic provenance, strict pipeline hygiene, and continuous independent validation — not just a one-time certification check.

Mohammad Irfan Aslam

Mohammad Irfan Aslam

Mohammad Irfan Aslam (also known as Muhammad Irfan Aslam or Rana Irfan) is an IT infrastructure specialist, DevOps engineer, and technology consultant based in Riyadh, Saudi Arabia. With over 6 years of hands-on experience in Linux system administration, VMware virtualization, Docker, cloud platforms (AWS, Azure, GCP), CI/CD pipelines, and enterprise networking, Irfan founded visittome.com to deliver professional IT services to businesses across Saudi Arabia and the GCC region. He is the author of in-depth technical guides on cybersecurity, Linux, cloud infrastructure, and enterprise IT published on this blog.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Saudi Arabia’s IT intelligence hub — cybersecurity, cloud, infrastructure & digital transformation for Vision 2030 businesses.

Riyadh, Kingdom of Saudi Arabia
Lahore, Pakistan (Dev Office)
info@visittome.com
Sun–Thu  9:00 AM – 6:00 PM AST

IT Solutions

Company

Why Visit To Me

Google News publisher
Riyadh-based IT experts
Vision 2030 aligned
NCA compliance coverage
Arabic & English content
Free IT Consultation →
© 2026 Visit To Me · IT HUB · Riyadh, Kingdom of Saudi Arabia · All rights reserved.
Privacy Policy Terms of Service Sitemap
💼
Visit Pro
AI Sales Assistant · Visit To Me
Powered by Claude AI · Visit To Me