Hola Browser for Windows compromised to deliver cryptominer
The Windows version of Hola Browser has been caught distributing an undisclosed executable that researchers have identified as a cryptocurrency miner, in what appears to be a supply chain attack against the popular Chromium-based browser.
The compromise came to light during routine certification checks conducted as part of AppEsteem's application integrity testing process — a procedure Hola Browser had previously passed without issue.
Hola is an Israeli technology company widely recognized for its VPN product, which allows users to route their internet traffic through other users' devices or paid proxy servers to circumvent geographic content restrictions. Hola Browser builds on the Chromium engine and bundles that same VPN and proxy functionality directly into the browsing experience.
The company has faced scrutiny before over the way it handles user traffic, particularly in connection with Luminati Networks — a commercial service that effectively turned free VPN users into proxy nodes without transparent disclosure.
During the most recent integrity evaluation, Sophos and other cybersecurity firms involved in the assessment discovered an uncertified executable named me.exe being silently installed in some cases under C:\Program Files\Hola\. The file raised immediate red flags: it lacked a digital signature, carried no timestamp, contained obfuscated code, and had the ability to write to system memory.
Further analysis by Sophos confirmed the binary as a Monero cryptocurrency miner. Once active, it adds an exclusion rule to Windows Defender to avoid detection, copies itself to Program Files under the name HolaMonitorService.exe, registers a persistent Windows service called hola_monitor_svc set to launch automatically, and runs silently in the background when the system is idle — quietly mining cryptocurrency at the expense of the user's hardware and electricity.
