Back

Hola Browser Compromised to Deliver Cryptominer via Supply Chain Attack

Severity: High (Score: 67.5)

Sources: News.Sophos, Gbhackers, Bleepingcomputer, Blogs.Sophos

Published: 2026-06-04 · Updated: 2026-06-05

Keywords: unexpected, test, sophos, x-ops, surprise, executable, hola

Summary

The Hola Browser for Windows (version 1.251.91.0) was compromised in a supply chain attack, delivering an undeclared executable identified as a cryptocurrency miner. This issue was discovered during AppEsteem certification checks, which revealed the presence of the executable 'me.exe' in some installations. The binary lacked code signing, a timestamp, and contained obfuscated code, indicating malicious intent. Hola confirmed the compromise, stating that only 0.1% of users were affected and that no user data was accessed or stolen. The company has since rebuilt its distribution pipeline and implemented advanced security measures. The incident highlights significant vulnerabilities in software supply chains and the importance of rigorous application integrity checks. Key Points: • Hola Browser was compromised to deliver a crypto-miner via supply chain attack. • The malicious executable 'me.exe' was not part of the certified application footprint. • Hola has implemented new security measures to prevent future incidents.

Detailed Analysis

**Impact** The supply chain compromise affected Windows users of Hola Browser version 1.251.91.0, with Hola estimating approximately 0.1% of its user base impacted. The incident involved the unauthorized delivery of a crypto-mining executable, potentially increasing resource consumption and operational costs on affected devices. There is no evidence of user data theft or broader data compromise. The affected software is primarily used globally, with no specific geographic concentration reported. **Technical Details** The attack involved a supply chain compromise in Hola Browser’s Windows delivery pipeline, introducing an undeclared executable named `me.exe`. This binary, identified as a Monero crypto-miner, lacked code signing and timestamps, contained obfuscated code, and exhibited behaviors such as adding Windows Defender exclusions, copying itself to `C:\Program Files\Hola\HolaMonitorService.exe`, and creating an auto-start Windows service named `hola_monitor_svc`. Detection signatures include Sophos Troj/GoMiner-B and indicators related to XMRig mining activity. No CVEs or specific exploitation techniques were detailed. **Recommended Response** Defenders should verify that installed versions of Hola Browser do not include the `me.exe` or `HolaMonitorService.exe` binaries and remove them if found. Deploy detection rules targeting the Troj/GoMiner-B signature and monitor for the creation of the `hola_monitor_svc` service and Windows Defender exclusion modifications. Organizations should ensure software supply chain integrity by validating code signing and hashes of Hola Browser installers. Monitor network traffic for unusual cryptocurrency mining activity and update endpoint protection to detect similar miner behaviors.

Source articles (4)

  • You do surprise me.exe: An unexpected executable in Hola Browser — News.Sophos · 2026-06-04
    Following a certification test, Sophos X-Ops found an unexpected guest had hitched a ride During review work related to an AppEsteem Windows Certified Application test, Sophos X-Ops recently identifie…
  • You do surprise me.exe: An unexpected executable in Hola Browser — Blogs.Sophos · 2026-06-04
    Following a certification test, Sophos X-Ops found an unexpected guest had hitched a ride During review work related to an AppEsteem Windows Certified Application test, Sophos X-Ops recently identifie…
  • Hola Browser for Windows compromised to deliver cryptominer — Bleepingcomputer · 2026-06-04
    The Windows version of the Hola Browser has been compromised in a supply chain attack that delivered an undeclared executable identified by researchers as a cryptocurrency miner. The compromise was un…
  • Hola Browser Windows Delivery Pipeline Hijacked to Deploy Cryptominer — Gbhackers · 2026-06-05
    An undeclared executable bundled with Hola Browser for Windows (version 1.251.91.0) that later proved to be a crypto‑miner. The binary, written to C:\Program Files\Hola\me.exe in affected installs, wa…

Timeline

  • 2026-06-04 — Compromise discovered during certification checks: Sophos X-Ops identified an undeclared executable 'me.exe' in Hola Browser during AppEsteem tests.
  • 2026-06-04 — Hola confirms supply chain compromise: Hola acknowledged the delivery of the malicious executable and stated that only 0.1% of users were affected.
  • 2026-06-05 — Hola implements new security measures: Following the incident, Hola has rebuilt its distribution pipeline and enhanced security protocols.

Related entities

  • Malware (Attack Type)
  • Supply Chain Attack (Attack Type)
  • Hola (Company)
  • GoMiner (Malware)
  • XMRig (Malware)
  • T1027 - Obfuscated Files Or Information (Mitre Attack)
  • T1195 - Supply Chain Compromise (Mitre Attack)
  • T1496 - Resource Hijacking (Mitre Attack)
  • T1543.003 - Windows Service (Mitre Attack)
  • T1562.001 - Disable Or Modify Tools (Mitre Attack)
  • Hola Browser (Platform)
  • Windows (Platform)
  • e3541caf708c075f0bb22fc68b03acd8457fea7cf0732ea935b1eb016d1c7721 (Sha256)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed