Supply Chain Compromise of Hola Browser Delivers Monero Cryptominer to Windows Users

Supply Chain Compromise of Hola Browser Delivers Monero Cryptominer to Windows Users

What Happened – The Windows version of Hola Browser was infiltrated in a supply‑chain attack that inserted an unsigned executable ( me.exe ) which functions as a Monero cryptocurrency miner. The malicious binary creates a Windows service, adds a Defender exclusion, and runs when the host is idle.

Why It Matters for TPRM –

• A compromised third‑party application can introduce hidden workloads that degrade performance and increase utility‑bill costs.
• Supply‑chain breaches bypass traditional endpoint controls, exposing organizations that whitelist the vendor’s software.
• Even low‑volume infections (≈0.1 % of users) demonstrate the risk of trusting unsigned updates from external vendors.

Who Is Affected – Consumer‑grade Windows PCs running Hola Browser; enterprises that allow employee use of the browser or embed it in internal web‑access solutions.

Recommended Actions –

• Immediately audit all endpoints for the presence of me.exe, HolaMonitorService.exe, and the hola_monitor_svc service.
• Block execution of unsigned binaries from the Hola installation path via application control policies.
• Review and tighten third‑party software approval processes; require code‑signing verification for all updates.

Technical Notes – The attacker leveraged a compromised distribution pipeline to inject the miner; the binary is obfuscated, unsigned, and lacks a timestamp. It adds a Windows Defender exclusion, copies itself to C:\Program Files\Hola\, and runs as a service when the system is idle. No evidence of data exfiltration was found. Source: BleepingComputer