Hola Browser users on Windows were unknowingly exposed to a cryptocurrency mining payload after attackers compromised the company’s software distribution pipeline.
Quick Summary – TLDR:
- Hola Browser for Windows was compromised in a supply chain attack that delivered a hidden Monero crypto miner to some users.
- Security researchers discovered an undeclared executable called me.exe during software certification testing.
- Hola says only 0.1% of users were affected and there is no evidence that user data was stolen or exposed.
- The company has rebuilt its distribution pipeline and implemented stronger security controls following the incident.
What Happened?
A supply chain compromise involving Hola Browser for Windows resulted in some users receiving a cryptocurrency mining program alongside the browser installation. The issue was uncovered during routine software certification checks conducted through the AppEsteem certification program, where security researchers identified an unexpected executable that had not been declared as part of the browser package.
Further analysis revealed that the file behaved like a Monero cryptocurrency miner, prompting an investigation into Hola’s software delivery infrastructure and update mechanisms.
Security researchers recently uncovered a supply chain compromise in the Hola browser for Windows, where it slipped a crypto-miner into some users’ systems.
— PiunikaWeb – helpful, and breaking tech news (@PiunikaWeb) June 5, 2026
This was spotted by Sophos X-Ops during routine certification testing, prompting swift action from the company.…
Cryptomining Malware Found Inside Browser Installation
The incident came to light when researchers at Sophos detected a suspicious executable named me.exe during testing of Hola Browser version 1.251.91.0. The file was written to the *C:\Program Files\Hola* directory despite not being included among the browser’s certified components.
Researchers noted several warning signs. The executable lacked a digital signature, had no timestamp, contained obfuscated code, and included functionality capable of modifying memory. While these characteristics alone do not automatically confirm malicious activity, they raised immediate concerns because the file should not have been present in a certified software package.
Additional telemetry data collected by Sophos helped preserve a sample of the binary for deeper analysis. Researchers eventually concluded that the executable functioned as a cryptocurrency miner designed to use infected systems for mining Monero.
Evidence Pointed to XMRig Based Mining Activity
The malware contained several strings commonly associated with mining operations. Researchers found references to XMRig, one of the most widely used open source mining tools for Monero.
Analysis also uncovered strings such as:
- “killed orphan miner pid %d”
- “user active, stopping miner”
- “m/cmd/xmrig-idle”
According to Sophos, the malware attempted to evade detection by adding itself to Windows Defender exclusion lists. When executed with administrator privileges, it copied itself to C:\Program Files\Hola\HolaMonitorService.exe and created a Windows service named hola_monitor_svc.
The service was configured to start automatically and operate when the computer was idle, helping the mining activity remain less noticeable to users.
Investigation Revealed a Supply Chain Compromise
Researchers did not observe the rogue file during every installation test. This inconsistency suggested the issue was not tied to a permanently infected installer.
Instead, investigators believe the malicious file was introduced through parts of Hola’s software delivery process. Possible sources included the company’s distribution pipeline, content delivery network, build environment, or update infrastructure.
The varying behavior across test runs strongly indicated that the malware was being delivered only under specific conditions, a hallmark of modern supply chain attacks.
Hola Responds and Rebuilds Distribution Pipeline
Following responsible disclosure through the AppEsteem certification program, Hola launched an internal investigation and brought in cybersecurity firm Sygnia to conduct a forensic review.
Hola CEO Avi Raz Cohen confirmed that the company detected anomalous activity within its software distribution pipeline and described the incident as a supply chain compromise.
According to Hola, the affected delivery mechanism was immediately disabled and the unwanted software removed from company infrastructure. The company estimates that approximately 0.1% of users were impacted.
Hola also stated that forensic findings uncovered no evidence that user data was accessed, stolen, or exposed during the incident.
Why This Matters?
Supply chain attacks continue to be one of the most effective ways for attackers to reach large numbers of users through trusted software. Even applications that pass certification processes can become targets if attackers gain access to distribution infrastructure.
The Hola web browser incident serves as another reminder that software vendors must secure not only their applications but also the systems used to build, sign, and distribute them.
SQ Magazine Takeaway
I think this incident shows why supply chain security has become just as important as application security. Users may download software from legitimate sources and still end up receiving malicious code if the distribution process is compromised.
While Hola says only a small percentage of users were affected and no data was stolen, the discovery of a hidden Monero miner inside a trusted software delivery channel highlights how sophisticated these attacks have become. Companies can no longer focus only on protecting the product itself. They must protect every step that delivers that product to users.
