Emerging ThreatsSupply Chain Attacks

Hola Browser Compromised to Deliver Cryptominer in Supply Chain Attack

Analyst 207||Source: BleepingComputer
Windows computer workstation with browser open, surrounded by technical books and office supplies.

"We have since completely rebuilt our distribution pipeline, implemented advanced code-signing verification, and introduced tighter access controls and continuous monitoring across our infrastructure," assured Hola’s CEO, Avi Raz Cohen.

The compromised Hola Browser installer

During routine AppEsteem certification testing, Sophos and other cybersecurity firms discovered an undeclared executable being delivered with the Windows version of Hola Browser. The file, identified as "me.exe" in some cases, was being installed under C:\Program Files\Hola\. AppEsteem’s periodic checks uncovered the issue even though the product had previously passed certification.

Technical signs that the binary was a cryptominer

Researchers reported multiple red flags in the undelivered component: the binary lacked a digital signature, had no timestamp, contained obfuscated code, and was capable of writing to memory. Sophos found strings in the executable that indicated it was a Monero cryptocurrency miner. The miner, according to analysis, implemented persistence and evasion behaviors: it added a Windows Defender exclusion rule, copied itself to Program Files as "HolaMonitorService.exe," created an auto-starting Windows service named "hola_monitor_svc," and configured itself to run when the computer was idle.

Supply chain compromise and independent detection

Hola confirmed to AppEsteem that it had suffered a supply chain compromise; that conclusion was also independently reached by the cybersecurity firm Sygnia. Hola stated that approximately 0.1% of its users were affected and that investigators had found no evidence of user data access, theft, or compromise.

Hola’s remediation steps and outstanding questions

In response, Hola’s CEO Avi Raz Cohen described several measures the company has implemented: a complete rebuild of its distribution pipeline, advanced code-signing verification, tighter access controls, and continuous monitoring across infrastructure. BleepingComputer contacted Hola seeking additional details about how the breach occurred, the identity of any perpetrators, and whether clients on other platforms were affected; the outlet had not received further comment as of publishing.

How users, security teams, and app certifiers will respond

  • Hola’s users: For users, the immediate concerns are whether their devices show the telltale files or services (me.exe, HolaMonitorService.exe, or hola_monitor_svc) and whether system defenses were altered (Windows Defender exclusions). Hola’s statement asserts a small scope of impact (about 0.1% of users) and no detected data theft, but affected users will likely need to verify the absence of the listed artifacts and confirm Defender settings.
  • Security teams and incident responders: Detection teams will be looking for the specific indicators described by Sophos — unsigned, timestampless binaries with obfuscated code and strings tied to Monero mining, the presence of HolaMonitorService.exe, and the hola_monitor_svc service — and will review Defender exclusion rules for unauthorized entries. The event was discovered during AppEsteem certification checks, underscoring the role of independent certification and outside scrutiny in finding supply chain compromises.
  • App certifiers and vendors: AppEsteem’s periodic testing played a direct role in discovering the compromise, which illustrates why ongoing certification and repeated integrity checks matter for software distributed to end users. Vendors are likely to re-evaluate distribution pipelines, code-signing practices, and continuous monitoring to reduce the risk that undeclared components reach installers.

Contextual notes and concluding observation

Hola Browser is a Chromium-based browser that integrates VPN and proxy functionality directly into the browser, and the vendor is best known for Hola VPN. The company and its products have previously drawn scrutiny because of traffic-handling practices tied to a commercial service called Luminati Networks, which reportedly turned free users into proxies. In this episode, independent certification testing and third-party analysis exposed an undeclared Monero miner in the Windows distribution, prompting Hola to rebuild its distribution process and tighten signing and access controls.

The breach highlights a narrow but consequential category of supply chain risk: when a signed and distributed application begins to deliver undeclared, unsigned executables that perform resource-hungry, persistent operations on users’ machines. Hola’s public remediation steps and the vendor’s estimate of a limited impact are concrete actions; unanswered technical and forensic questions — about how the malicious component entered the distribution pipeline and whether other platforms were affected — remain, pending further information from Hola or other investigators.

Source: BleepingComputer — Hola Browser for Windows compromised to deliver cryptominer

Browser SecurityEmerging ThreatsSupply Chain AttackWindowsMalware OperationsCryptominerHola BrowserCode Signing VerificationCyber Supply Chain Compromise
Related Intelligence

Continue Reading

Laptop screen shows checkout page with subtle code hint in background, in neutral indoor setting.

Magecart Campaign Exploits Stripe to Host Stolen Payment Data

Meet the sneaky Magecart campaign that's exploiting Stripe to host stolen payment data, cleverly hiding its skimming code inside trusted domains like Google Tag Manager and Stripe's API. By using these legitimate-looking channels, the attack slips past security filters, putting online stores and customers at risk.

Analyst 207
Brightly-lit office setting with computer workstation in foreground and blurred screen.

Multiple Breaches Expose Sensitive Data Across Industries

Sensitive data has been compromised across various industries in a series of alarming breaches, including a clever social engineering scam that exposed info of 6 million Carnival Corporation customers and two incidents involving learning management company Instructure's Canvas platform. These breaches highlight the growing threat of cyber attacks and the importance of robust data protection measures.

Analyst 207
Dental office with scattered papers and blurred computer screen.

DentaQuest Breach Exposes 2.6 Million Accounts

A major data breach at DentaQuest has exposed a staggering 2.6 million accounts, after an extortion group called ShinyHunters claimed to have stolen over 234 GB of sensitive data. The breach was confirmed by DentaQuest on June 2, who assured customers they are actively managing the cybersecurity incident.

Analyst 207
Secure server room interior with highlighted network cable.

Secure Infrastructure Unlocks AI's Defense Potential

As Dave Wajsgras, chairman and CEO of Everfox, aptly puts it, AI's trustworthiness is only as strong as the security of its underlying data, networks, and access controls. A recent incident involving Anthropic's Claude Mythos model serves as a stark reminder of the risks, with an unauthorized group reportedly gaining access in mere hours.

Analyst 207