Crypto-Miner Discovered in Hola Browser Installation
Severity: Medium (Score: 51.9)
Sources: News.Sophos, Blogs.Sophos
Published: · Updated:
Keywords: unexpected, test, sophos, x-ops, surprise, executable, hola
Summary
Sophos X-Ops identified an unexpected executable, me.exe, bundled with Hola Browser (version 1.251.91.0) during an AppEsteem certification test. This executable, not certified, appears to function as a crypto-miner and was flagged as a Potentially Unwanted Application (PUA). Following the discovery, Hola confirmed that me.exe was not intended to be included with their installer and stated they have fixed their delivery pipeline to prevent such issues. The incident raises concerns about supply chain integrity, as the executable was not present in every test run, suggesting variability in the delivery path. The issue highlights the importance of thorough validation processes in software certification. Key Points: • An unexpected executable, me.exe, was found in Hola Browser installations. • The executable is suspected to be a crypto-miner and flagged as a Potentially Unwanted Application. • Hola has since fixed their delivery pipeline to prevent future occurrences.
Detailed Analysis
**Impact** Users of Hola Browser version 1.251.91.0 were potentially affected by the unintended delivery of a crypto-mining executable. The scope appears limited to installations where the compromised delivery pipeline introduced the me.exe binary, primarily impacting Windows systems. No specific sectors, geographies, or data breaches were reported, and operational consequences relate mainly to unauthorized resource consumption and potential system performance degradation. **Technical Details** The attack vector involved a supply chain integrity issue within Hola Browser’s delivery pipeline, causing the inclusion of an undeclared executable (me.exe) identified as a crypto-miner. The binary performs Windows Defender exclusion, copies itself as HolaMonitorService.exe, and creates an autostart service named hola_monitor_svc that runs when the host is idle. Detection is associated with the Sophos signature Troj/GoMiner-B. No CVEs or external infrastructure details were provided. **Recommended Response** Defenders should verify that Hola Browser installations are updated beyond version 1.251.91.0 to ensure the delivery pipeline fix is applied. Endpoint detection and response tools should be configured to detect and block the me.exe binary and related service (hola_monitor_svc). Monitoring for unauthorized Windows Defender exclusions and unusual service creation on endpoints is advised. No patches beyond Hola’s pipeline fix were specified.
Source articles (2)
- You do surprise me.exe: An unexpected executable in Hola Browser — News.Sophos · 2026-06-04
Following a certification test, Sophos X-Ops found an unexpected guest had hitched a ride During review work related to an AppEsteem Windows Certified Application test, Sophos X-Ops recently identifie… - You do surprise me.exe: An unexpected executable in Hola Browser — Blogs.Sophos · 2026-06-04
Following a certification test, Sophos X-Ops found an unexpected guest had hitched a ride During review work related to an AppEsteem Windows Certified Application test, Sophos X-Ops recently identifie…
Timeline
- 2026-06-04 — Unexpected executable identified in Hola Browser: Sophos X-Ops found me.exe bundled with Hola Browser during an AppEsteem certification test, raising supply chain integrity concerns.
- 2026-06-04 — Hola confirms me.exe was not intended for delivery: Hola acknowledged that me.exe should not have been included with their installer and has fixed the delivery pipeline.
Related entities
- Malware (Attack Type)
- Supply Chain Attack (Attack Type)
- Hola (Company)
- GoMiner (Malware)
- T1496 - Resource Hijacking (Mitre Attack)
- T1543.003 - Windows Service (Mitre Attack)
- T1562.001 - Disable Or Modify Tools (Mitre Attack)
- Hola Browser (Platform)
- Windows (Platform)
- e3541caf708c075f0bb22fc68b03acd8457fea7cf0732ea935b1eb016d1c7721 (Sha256)