Hola Browser Supply Chain Attack Delivers Monero Miner to Windows Users
In a recent supply chain compromise, attackers infiltrated Hola Browser’s software distribution pipeline, delivering a hidden Monero cryptocurrency miner to a subset of Windows users. The incident was uncovered during routine certification testing by Sophos X-Ops as part of the AppEsteem program, where researchers detected an undeclared executable me.exe in Hola Browser version 1.251.91.0.
Analysis revealed the file functioned as a cryptominer, leveraging XMRig a widely used open-source mining tool to exploit infected systems. The malware employed evasion tactics, including adding itself to Windows Defender exclusion lists and installing a persistent service (hola_monitor_svc) that activated during idle periods. Despite its stealthy behavior, the executable exhibited red flags, such as missing digital signatures, obfuscated code, and unauthorized memory modifications.
Hola confirmed the attack stemmed from a compromise in its distribution infrastructure rather than a permanently infected installer. The company, with assistance from cybersecurity firm Sygnia, conducted a forensic investigation and determined that only 0.1% of users were affected. No evidence of data theft or exposure was found.
In response, Hola rebuilt its distribution pipeline, implementing stricter code-signing verification, access controls, and continuous monitoring. The incident underscores the growing threat of supply chain attacks, where trusted software delivery channels become vectors for malicious payloads, even in certified applications.
Source: https://sqmagazine.co.uk/hola-browser-breach-monero-crypto-miner/
Hola TPRM report: https://www.rankiteo.com/company/hola
"id": "hol1780677491",
"linkid": "hola",
"type": "Cyber Attack",
"date": "6/2026",
"severity": "25",
"impact": "1",
"explanation": "Attack without any consequences"{'affected_entities': [{'customers_affected': '0.1% of users',
'industry': 'Software (Browser/VPN)',
'name': 'Hola',
'type': 'Company'}],
'attack_vector': 'Compromised software distribution pipeline',
'data_breach': {'data_exfiltration': 'None',
'personally_identifiable_information': 'None'},
'description': 'In a recent supply chain compromise, attackers infiltrated '
'Hola Browser’s software distribution pipeline, delivering a '
'hidden Monero cryptocurrency miner to a subset of Windows '
'users. The incident was uncovered during routine '
'certification testing by Sophos X-Ops as part of the '
'AppEsteem program, where researchers detected an undeclared '
'executable *me.exe* in Hola Browser version 1.251.91.0. '
'Analysis revealed the file functioned as a cryptominer, '
'leveraging XMRig to exploit infected systems. The malware '
'employed evasion tactics, including adding itself to Windows '
'Defender exclusion lists and installing a persistent service '
'(*hola_monitor_svc*) that activated during idle periods. '
'Despite its stealthy behavior, the executable exhibited red '
'flags, such as missing digital signatures, obfuscated code, '
'and unauthorized memory modifications. Hola confirmed the '
'attack stemmed from a compromise in its distribution '
'infrastructure rather than a permanently infected installer. '
'The company, with assistance from cybersecurity firm Sygnia, '
'conducted a forensic investigation and determined that only '
'0.1% of users were affected. No evidence of data theft or '
'exposure was found.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'supply chain compromise',
'data_compromised': 'None',
'identity_theft_risk': 'None',
'operational_impact': 'Unauthorized resource consumption (CPU/GPU '
'for mining)',
'payment_information_risk': 'None',
'systems_affected': 'Windows systems running Hola Browser version '
'1.251.91.0'},
'investigation_status': 'Completed',
'lessons_learned': 'Supply chain attacks can exploit trusted software '
'delivery channels, even in certified applications. '
'Stricter verification and monitoring are critical to '
'prevent such compromises.',
'motivation': 'Financial gain (cryptocurrency mining)',
'post_incident_analysis': {'corrective_actions': 'Rebuilt distribution '
'pipeline, implemented '
'stricter code-signing '
'verification, access '
'controls, and continuous '
'monitoring',
'root_causes': 'Compromise in Hola’s software '
'distribution infrastructure'},
'recommendations': 'Implement stricter code-signing verification, access '
'controls, and continuous monitoring for software '
'distribution pipelines. Conduct regular forensic audits '
'of distribution infrastructure.',
'references': [{'source': 'Sophos X-Ops'}],
'response': {'containment_measures': 'Rebuilt distribution pipeline, removed '
'malicious executable',
'enhanced_monitoring': 'Continuous monitoring implemented',
'remediation_measures': 'Stricter code-signing verification, '
'access controls, continuous monitoring',
'third_party_assistance': 'Sygnia (cybersecurity firm)'},
'title': 'Hola Browser Supply Chain Attack Delivers Monero Miner to Windows '
'Users',
'type': 'Supply Chain Attack'}