Hola Browser for Windows Delivery Pipeline Compromised to Deliver Cryptominer

A trusted browser application has landed at the center of a supply chain security incident after researchers discovered that its official delivery pipeline had been quietly compromised.

Hola Browser for Windows, used by millions of users around the world, was found distributing an unexpected executable file alongside its legitimate installer.

The file, named me.exe, was not part of the browser’s declared software package, and it appears to have been silently dropped onto users’ systems without their knowledge or consent.

The issue came to light during a routine certification review conducted through the AppEsteem Windows Certified Application program.

AppEsteem, an AMTSO-certified organization founded in 2016, runs periodic validation tests to confirm that certified software matches its declared and approved installation footprint.

During one such test involving Hola Browser version 1.251.91.0, the unexpected file was detected sitting inside the browser’s installation directory at C:Program FilesHolame.exe.

Analysts at Sophos X-Ops identified the suspicious file and flagged it as a Potentially Unwanted Application during the certification test.

According to Sophos report shared with Cyber Security News (CSN), Sophos noted that the binary was not code signed, carried no timestamp, contained obfuscated code, and had memory-write capability.

While each of these traits alone might not raise an alarm on its own, together they painted a clear picture of something that had absolutely no business being bundled with a certified application.

Further investigation revealed that the file did not appear in every single test run, which ruled out the possibility of it being hardcoded into the installer itself.

This inconsistency pointed instead to a delivery-path issue, suggesting that the binary was being pushed through the update distribution pipeline under specific conditions.

In short, AppEsteem had certified one clean version of Hola Browser, but some users were receiving more than what had been certified.

After the issue was escalated through AppEsteem to Hola, the company confirmed that me.exe was never meant to be part of their installer.

Hola’s CEO Avi Raz Cohen acknowledged that their internal monitoring had also detected the anomaly, and independent cybersecurity firm Sygnia was brought in to conduct a thorough forensic review.

Sygnia’s findings confirmed this was a supply chain compromise, with the incident affecting roughly 0.1% of users and no user data accessed or exfiltrated at any point.

Hola Browser for Windows Delivery Pipeline Compromised

The me.exe binary appears to be based on XMRig, a well-known open-source crypto-mining tool. When run with administrative rights, the file copies itself to a new path within the Hola directory and registers itself as a Windows service named hola_monitor_svc.

This service is set to autostart and activates specifically when the host machine is idle, making it harder for the average user to notice any unusual activity or performance slowdown.

To avoid detection, the binary also performed a Windows Defender exclusion, effectively asking the operating system to ignore its presence entirely.

The strings found inside the file, including references to stopping the miner when a user becomes active, suggest it was carefully designed to run quietly in the background at all times. Sophos has classified this particular threat under the detection name Troj/GoMiner-B.

Supply Chain Risk and Pipeline Integrity

This incident is a strong reminder that even certified and trusted software can become a vehicle for malicious payloads when the delivery pipeline itself is compromised.

The fact that the file did not appear consistently across test environments made it harder to catch through standard certification checks alone.

It took a combination of third-party testing and security vendor telemetry working together to ultimately surface the full scope of the issue.

Following the discovery, Hola rebuilt its distribution pipeline from the ground up, introduced advanced code-signing verification, and tightened access controls across its entire infrastructure.

The company also committed to continuous monitoring to ensure that only declared and properly signed components ever reach end users going forward.

The outcome here represents the certification ecosystem working as intended, with an integrity problem caught, escalated, and fully resolved before it could grow into something far more damaging.

Indicators of Compromise (IoCs):-

Type	Indicator	Description
SHA256	174086534a2de730058465a4a4e231ce3778ab17ebebfd7f62b3bf9750bc7bdb	Hola Browser installer certified hash
SHA1	8046735d354814bf9ef9a053cb9cad8cfec261f2	Hola Browser installer certified hash
MD5	8462f61e68b37d220eab2462b3cbcec8	Hola Browser installer certified hash
SHA256	e3541caf708c075f0bb22fc68b03acd8457fea7cf0732ea935b1eb016d1c7721	me.exe cryptominer binary captured in Sophos telemetry
File Name	me.exe	Undeclared cryptominer executable dropped in Hola Browser directory
File Path	C:Program FilesHolame.exe	Location of the malicious binary on affected systems
File Path	C:Program FilesHolaHolaMonitorService.exe	Path the binary copies itself to when run with admin rights
Service Name	hola_monitor_svc	Windows service created by the miner for persistence and autostart
Detection Name	Troj/GoMiner-B	Sophos detection classification for the me.exe binary

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.