Overview A recent supply‑chain compromise has impacted the Windows version of Hola Browser, delivering an undeclared executable identified as a cryptocurrency miner. The breach was discovered during AppEsteem’s certification testing, which Hola Browser had previously passed.
Hola, an Israeli company best known for Hola VPN, integrates VPN and proxy functionality directly into its Chromium‑based browser. The firm has faced prior scrutiny for opaque traffic‑handling practices linked to Luminati Networks, which turned free users into proxy nodes.
Attack Mechanism
Researchers from Sophos and other cybersecurity firms uncovered an unauthorized binary named me.exe installed under C:\Program Files\Hola\.
| Stage | Component | Impact |
|---|---|---|
| Unauthorized Executable | me.exe — unsigned, obfuscated binary | Deploys Monero cryptominer |
| Persistence Setup | Copies to HolaMonitorService.exe and creates hola_monitor_svc service | Auto‑starts when system is idle |
| Defender Exclusion | Adds Windows Defender exception | Avoids antivirus detection and removal |
| Resource Hijacking | Uses CPU/GPU for Monero mining | Degrades system performance and energy efficiency |
The miner runs silently, activating when the computer is idle, and hides behind legitimate Hola Browser processes.
Technical Insights
The malicious binary lacked a digital signature, timestamp, and certification, violating AppEsteem’s integrity standards. Static analysis revealed Monero mining strings and memory‑write capabilities, confirming its purpose.
The malware’s persistence mechanism involves:
- Service creation under the name
hola_monitor_svc. - Executable renaming to blend with legitimate components.
- Defender policy modification to bypass security controls.
Vendor Response
Hola confirmed the supply‑chain compromise after being notified by AppEsteem and independently verified by Sygnia.
“We have since completely rebuilt our distribution pipeline, implemented advanced code‑signing verification, and introduced tighter access controls and continuous monitoring across our infrastructure,” said Hola CEO Avi Raz Cohen.
The company stated that only 0.1% of users were affected and found no evidence of data theft or user compromise.
Mitigation Steps
Users should take immediate precautions:
- Uninstall Hola Browser until verified updates are released.
- Scan for malware using reputable security tools.
- Check Windows services for unauthorized entries.
- Remove Defender exclusions to restore protection.
- Monitor CPU usage for unusual spikes when idle.
Expert in the Cloud Insight
The Hola Browser incident underscores the growing risk of supply‑chain attacks targeting consumer applications. Even trusted software can be weaponized through compromised distribution channels.
For enterprises and individuals alike, the lesson is clear: code‑signing verification and continuous pipeline monitoring are non‑negotiable. As cryptomining malware becomes more stealthy, defenders must focus on behavioral anomalies — not just signatures — to detect resource abuse and unauthorized executables.
Leave a Reply