A supply chain compromise resulted in a crypto-mining executable being distributed alongside certain installations of Hola Browser for Windows.
The unexpected component, named me.exe, was discovered by Sophos X-Ops during a software certification test and was not part of the browser's declared or certified software package in Hola Browser version 1.251.91.0.
The finding immediately raised concerns because the file exhibited several characteristics commonly associated with suspicious software. According to Sophos, the executable was not listed among the browser's certified components, lacked a digital signature and timestamp, contained obfuscated code, and included functionality capable of modifying memory. While none of these traits alone proves malicious intent, researchers noted that such a file should not have appeared inside the installation directory of a certified application.
Hola is best known for its rather controversial VPN and proxy services, and claims hundreds of millions of users across its products.
Further investigation suggested the problem was not tied to a static installer package. The researchers did not observe the rogue file in every test run, indicating that the executable was being delivered only under certain conditions. This inconsistency pointed researchers toward a potential supply chain issue involving the software delivery pipeline, content distribution network, update mechanism, or build process rather than a permanently modified installer.
Separately from the certification tests, Sophos also identified the same executable in its telemetry and preserved a sample for analysis. Researchers concluded that the binary appeared to function as a cryptocurrency miner. The malware contained multiple strings associated with mining operations, including references to XMRig, one of the most widely used open-source Monero mining tools.
According to Sophos, the executable attempted to add itself to Windows Defender exclusion lists and included strings such as “killed orphan miner pid %d,” “user active, stopping miner,” and “m/cmd/xmrig-idle.”
When executed with administrator privileges, the malware copied itself to C:\Program Files\Hola\HolaMonitorService.exe and installed a Windows service named hola_monitor_svc that was configured to start automatically and run while the system was idle.
After Sophos reported its findings through the AppEsteem certification program, Hola launched an internal investigation and engaged incident response firm Sygnia to conduct a forensic review. In a statement provided to Sophos, Hola CEO Avi Raz Cohen confirmed that the company had identified anomalous activity within its software distribution pipeline and described the incident as a supply chain compromise.
According to the company, the affected delivery mechanism was disabled immediately, and the unwanted software was removed from both infrastructure and impacted systems. Hola stated that Sygnia's investigation found no evidence that user data had been accessed, stolen, or exposed. The company estimated that approximately 0.1% of users were affected.
Hola says it has since rebuilt its distribution pipeline, strengthened code-signing verification processes, implemented tighter access controls, and expanded infrastructure monitoring to prevent similar incidents in the future.
Users who have installed Hola Browser on Windows should ensure they are running the latest version and perform a full antivirus scan.
Leave a Reply