Hola Browser Supply Chain Attack Delivers Monero Miner to Windows Users In a recent supply chain compromise, attackers infiltrated Hola Browser’s software distribution pipeline, delivering a hidden Monero cryptocurrency miner to a subset of Windows users. The incident was uncovered during routine certification testing by Sophos X-Ops as part of the AppEsteem program, where researchers detected an undeclared executable me.exe in Hola Browser version 1.251.91.0. Analysis revealed the file functioned as a cryptominer, leveraging XMRig a widely used open-source mining tool to exploit infected systems. The malware employed evasion tactics, including adding itself to Windows Defender exclusion lists and installing a persistent service (hola_monitor_svc) that activated during idle periods. Despite its stealthy behavior, the executable exhibited red flags, such as missing digital signatures, obfuscated code, and unauthorized memory modifications. Hola confirmed the attack stemmed from a compromise in its distribution infrastructure rather than a permanently infected installer. The company, with assistance from cybersecurity firm Sygnia, conducted a forensic investigation and determined that only 0.1% of users were affected. No evidence of data theft or exposure was found. In response, Hola rebuilt its distribution pipeline, implementing stricter code-signing verification, access controls, and continuous monitoring. The incident underscores the growing threat of supply chain attacks, where trusted software delivery channels become vectors for malicious payloads, even in certified applications.