Hola Browser Windows Pipeline Compromised to Deliver Cryptom

A trusted browser application now finds itself at the center of a supply chain security incident. Researchers recently uncovered a quiet compromise within its official delivery pipeline.

Hola Browser for Windows, used by millions of users around the world, was found distributing an unexpected executable file alongside its legitimate installer.

The file, named me.exe, was not part of the browser’s declared software package, and it appears to have been silently dropped onto users’ systems without their knowledge or consent.

The issue came to light during a routine certification review conducted through the AppEsteem Windows Certified Application program.

AppEsteem, an AMTSO-certified organization founded in 2016, runs periodic validation tests to confirm that certified software matches its declared and approved installation footprint.

During one such test involving Hola Browser version 1.251.91.0, the unexpected file was detected sitting inside the browser’s installation directory at C:Program FilesHolame.exe.

Analysts at Sophos X-Ops identified the suspicious file and flagged it as a Potentially Unwanted Application during the certification test.

According to Sophos report shared with Cyber Security News (CSN), Sophos noted that the binary was not code signed, carried no timestamp, contained obfuscated code, and had memory-write capability.

While each of these traits alone might not raise an alarm on its own, together they painted a clear picture of something that had absolutely no business being bundled with a certified application.

Further investigation revealed that the file did not appear in every single test run, which ruled out the possibility of it being hardcoded into the installer itself.

This inconsistency pointed instead to a delivery-path issue, suggesting that the binary was being pushed through the update distribution pipeline under specific conditions.

In short, AppEsteem had certified one clean version of Hola Browser, but some users were receiving more than what had been certified.

After the issue was escalated through AppEsteem to Hola, the company confirmed that me.exe was never meant to be part of their installer.

Hola’s CEO Avi Raz Cohen acknowledged that their internal monitoring had also detected the anomaly, and independent cybersecurity firm Sygnia was brought in to conduct a thorough forensic review.

Sygnia’s findings confirmed this was a supply chain compromise, with the incident affecting roughly 0.1% of users and no user data accessed or exfiltrated at any point.

Hola Browser for Windows Delivery Pipeline Compromised

The me.exe binary appears to be based on XMRig, a well-known open-source crypto-mining tool. When run with administrative rights, the file copies itself to a new path within the Hola directory and registers itself as a Windows service named hola_monitor_svc.

This service is set to autostart and activates specifically when the host machine is idle, making it harder for the average user to notice any unusual activity or performance slowdown.

To avoid detection, the binary also performed a Windows Defender exclusion, effectively asking the operating system to ignore its presence entirely.

The strings found inside the file, including references to stopping the miner when a user becomes active, suggest it was carefully designed to run quietly in the background at all times. Sophos has classified this particular threat under the detection name Troj/GoMiner-B.

Supply Chain Risk and Pipeline Integrity

This incident is a strong reminder that even certified and trusted software can become a vehicle for malicious payloads when the delivery pipeline itself is compromised.

The fact that the file did not appear consistently across test environments made it harder to catch through standard certification checks alone.

It took a combination of third-party testing and security vendor telemetry working together to ultimately surface the full scope of the issue.

Following the discovery, Hola rebuilt its distribution pipeline from the ground up, introduced advanced code-signing verification, and tightened access controls across its entire infrastructure.

The company also committed to continuous monitoring to ensure that only declared and properly signed components ever reach end users going forward.

The outcome here represents the certification ecosystem working as intended, with an integrity problem caught, escalated, and fully resolved before it could grow into something far more damaging.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.