Hola Browser for Windows Delivery Pipeline Compromised to Deliver Cryptominer
Cybersecurity NewsArchived Jun 05, 2026✓ Full text saved
A trusted browser application has landed at the center of a supply chain security incident after researchers discovered that its official delivery pipeline had been quietly compromised. Hola Browser for Windows, used by millions of users around the world, was found distributing an unexpected executable file alongside its legitimate installer. The file, named me.exe, was […] The post Hola Browser for Windows Delivery Pipeline Compromised to Deliver Cryptominer appeared first on Cyber Security New
Full text archived locally
✦ AI Summary· Claude Sonnet
HomeCyber Security News
Hola Browser for Windows Delivery Pipeline Compromised to Deliver Cryptominer
By Tushar Subhra Dutta
June 5, 2026
A trusted browser application has landed at the center of a supply chain security incident after researchers discovered that its official delivery pipeline had been quietly compromised.
Hola Browser for Windows, used by millions of users around the world, was found distributing an unexpected executable file alongside its legitimate installer.
The file, named me.exe, was not part of the browser’s declared software package, and it appears to have been silently dropped onto users’ systems without their knowledge or consent.
The issue came to light during a routine certification review conducted through the AppEsteem Windows Certified Application program.
AppEsteem, an AMTSO-certified organization founded in 2016, runs periodic validation tests to confirm that certified software matches its declared and approved installation footprint.
During one such test involving Hola Browser version 1.251.91.0, the unexpected file was detected sitting inside the browser’s installation directory at C:\Program Files\Hola\me.exe.
Analysts at Sophos X-Ops identified the suspicious file and flagged it as a Potentially Unwanted Application during the certification test.
According to Sophos report shared with Cyber Security News (CSN), Sophos noted that the binary was not code signed, carried no timestamp, contained obfuscated code, and had memory-write capability.
While each of these traits alone might not raise an alarm on its own, together they painted a clear picture of something that had absolutely no business being bundled with a certified application.
Further investigation revealed that the file did not appear in every single test run, which ruled out the possibility of it being hardcoded into the installer itself.
This inconsistency pointed instead to a delivery-path issue, suggesting that the binary was being pushed through the update distribution pipeline under specific conditions.
In short, AppEsteem had certified one clean version of Hola Browser, but some users were receiving more than what had been certified.
After the issue was escalated through AppEsteem to Hola, the company confirmed that me.exe was never meant to be part of their installer.
Hola’s CEO Avi Raz Cohen acknowledged that their internal monitoring had also detected the anomaly, and independent cybersecurity firm Sygnia was brought in to conduct a thorough forensic review.
Sygnia’s findings confirmed this was a supply chain compromise, with the incident affecting roughly 0.1% of users and no user data accessed or exfiltrated at any point.
Hola Browser for Windows Delivery Pipeline Compromised
The me.exe binary appears to be based on XMRig, a well-known open-source crypto-mining tool. When run with administrative rights, the file copies itself to a new path within the Hola directory and registers itself as a Windows service named hola_monitor_svc.
This service is set to autostart and activates specifically when the host machine is idle, making it harder for the average user to notice any unusual activity or performance slowdown.
To avoid detection, the binary also performed a Windows Defender exclusion, effectively asking the operating system to ignore its presence entirely.
The strings found inside the file, including references to stopping the miner when a user becomes active, suggest it was carefully designed to run quietly in the background at all times. Sophos has classified this particular threat under the detection name Troj/GoMiner-B.
Supply Chain Risk and Pipeline Integrity
This incident is a strong reminder that even certified and trusted software can become a vehicle for malicious payloads when the delivery pipeline itself is compromised.
The fact that the file did not appear consistently across test environments made it harder to catch through standard certification checks alone.
It took a combination of third-party testing and security vendor telemetry working together to ultimately surface the full scope of the issue.
Following the discovery, Hola rebuilt its distribution pipeline from the ground up, introduced advanced code-signing verification, and tightened access controls across its entire infrastructure.
The company also committed to continuous monitoring to ensure that only declared and properly signed components ever reach end users going forward.
The outcome here represents the certification ecosystem working as intended, with an integrity problem caught, escalated, and fully resolved before it could grow into something far more damaging.
Indicators of Compromise (IoCs):-
Type Indicator Description
SHA256 174086534a2de730058465a4a4e231ce3778ab17ebebfd7f62b3bf9750bc7bdb Hola Browser installer certified hash
SHA1 8046735d354814bf9ef9a053cb9cad8cfec261f2 Hola Browser installer certified hash
MD5 8462f61e68b37d220eab2462b3cbcec8 Hola Browser installer certified hash
SHA256 e3541caf708c075f0bb22fc68b03acd8457fea7cf0732ea935b1eb016d1c7721 me.exe cryptominer binary captured in Sophos telemetry
File Name me.exe Undeclared cryptominer executable dropped in Hola Browser directory
File Path C:\Program Files\Hola\me.exe Location of the malicious binary on affected systems
File Path C:\Program Files\Hola\HolaMonitorService.exe Path the binary copies itself to when run with admin rights
Service Name hola_monitor_svc Windows service created by the miner for persistence and autostart
Detection Name Troj/GoMiner-B Sophos detection classification for the me.exe binary
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
Tags
cyber security
cyber security news
Copy URL
Linkedin
Twitter
ReddIt
Telegram
Tushar Subhra Dutta
Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics.
Trending News
SmartApeSG Campaign Uses ClickFix Scripts to Infect Windows Hosts With RAT Malware
Claude Down for Users Worldwide as Hundreds Report Service Issues
Attackers Abuse Docker and Kubernetes Misconfigurations to Compromise Host Systems
Web App and API Attacks are Rising: Are You Blind to AI Web Attacks? Join Free WAAP Security Webinar
The Gentlemen Ransomware Group Uses Fortinet Exploits, AI, and Custom C2 Frameworks
Latest News
Cyber Security News
Microsoft 365 Service Degradation Bypassed Windows Driver Auto-Update Controls
Cyber Security News
New SHub Stealer Variant Malware Targets Chrome, Firefox, Brave, Edge, Opera, and Crypto Wallets
Cyber Security News
Malicious Browser Add-Ons Target ChatGPT, Claude, Copilot, Gemini, and DeepSeek Users
Cyber Security News
Agentic AI Red Teaming Reveals Zero-Click Human-in-the-Loop Bypass Attack Chains
Cyber Security News
Chinese APT VerdantBamboo Uses BRICKSTORM Malware to Compromise Firewalls and Appliances