The Windows version of Hola Browser was compromised in a supply chain attack that installed an undeclared executable identified as a Monero cryptominer, triggering changes in Hola’s distribution pipeline and new security controls after AppEsteem certification
For users who trusted a browser update, the danger didn’t arrive as a dramatic pop-up or a conspicuous installation. It showed up during routine testing as a silent piece of software—an undeclared executable landing under C:Program FilesHola—and researchers recognized it for what it was: a cryptocurrency miner.
The Windows version of Hola Browser was found compromised in a supply chain attack that delivered an executable identified as a cryptocurrency miner. The issue was uncovered during periodic certification checks on Hola Browser as part of its AppEsteem certification testing procedure. The browser had previously passed these certification checks.
Hola is an Israeli company best known for Hola VPN. a service that routes internet traffic through other users’ devices or through paid proxy infrastructure to bypass geographic restrictions and access content from different countries. Hola Browser extends that approach inside the browser itself: it is based on Chromium and integrates VPN and proxy functionality directly into the browser.
But Hola’s history is not a blank page. The company and its products have attracted controversy over opaque traffic-handling practices tied to the operation of a commercial service called Luminati Networks, which turned free users into proxies.
In the latest app integrity checks, Sophos and other cybersecurity companies involved in the evaluation process discovered an undeclared executable named ‘me.exe’ being installed in some cases under C:Program FilesHola.
The file had not been certified, had no timestamp, wasn’t digitally signed, contained obfuscated code, and could write to memory. When Sophos examined it further, the signs pointed directly to its purpose. The binary included strings indicating it was a Monero cryptocurrency miner.
The miner did more than just run. It added a Windows Defender exclusion rule, copied itself to Program Files as ‘HolaMonitorService.exe,’ created an auto-starting Windows service named ‘hola_monitor_svc,’ and ran when the computer was idle.
Hola was informed of the findings by AppEsteem and confirmed that they had suffered a supply chain compromise. The same compromise was also independently detected by cybersecurity firm Sygnia.
Still, Hola disputes the scale of impact. The company says that only about 0.1% of its users were affected, and that there is no evidence of user data access, theft, or compromise.
Hola’s CEO, Avi Raz Cohen, said in response that the company has rebuilt its distribution pipeline and tightened controls. “We have since completely rebuilt our distribution pipeline. implemented advanced code-signing verification. and introduced tighter access controls and continuous monitoring across our infrastructure. ” Cohen said. “These measures are designed to ensure that only declared, certified, and signed components are ever delivered to our users.”.
The sequence of findings is stark: an undeclared ‘me.exe’ installed under C:Program FilesHola. lacking certification and signatures. with obfuscated code that could write to memory. then transforming into a service that persists across reboots and adds a Windows Defender exclusion rule. The certification process that previously passed becomes the moment the intrusion is made visible—only after the software moved through a distribution pathway and landed on systems.
BleepingComputer reached out to Hola to request more information about how the breach occurred, who the perpetrators are, and whether clients on other platforms were also affected. As of publication, the company had not replied with those details.
Hola Browser supply chain attack Monero miner cryptominer Sophos AppEsteem Avi Raz Cohen Hola VPN Chromium Windows Defender exclusion hola_monitor_svc