Blab Crypto
Hola Browser Supply-Chain Attack Delivers Monero Miner to Windows Users
In early June 2026, a routine compliance audit for the AppEsteem Windows Certified Application program uncovered a stealthy compromise of the Israel‑based Hola Browser for Windows (v1.251.91.0). Security researchers found that a malicious file was silently installing a Monero cryptocurrency miner on affected computers.
The rogue component, named hola_monitor_svc.exe, was located in the installation directory ".\Program Files\Holame\". It was unsigned, lacked a timestamp, and was not part of the browser’s approved file list. Its code was heavily obfuscated, enabling it to inject itself into system memory. The fact that the file did not appear in every installation suggested that a specific stage in Hola’s distribution pipeline had been tampered with.
Once executed, the malware added itself to the Windows Defender exclusion list, effectively bypassing the built‑in antivirus. It then replicated as HolaMonitorService.exe and set up a persistent background service named hola_monitor_svc. The service was configured to start automatically at boot and to run only when the system was idle, thereby minimizing its performance impact and reducing the chance of detection.
The miner was designed to work with Monero (XMR), a privacy‑oriented cryptocurrency that uses the CryptoNote protocol and the RandomX proof‑of‑work algorithm. Monero’s architecture allows efficient CPU mining, making it an attractive target for cryptojacking campaigns that target ordinary desktop processors. Because Monero transactions are untraceable, the illicit earnings are difficult for law‑enforcement to trace.
Hola confirmed that the supply‑chain breach affected only about 0.1 % of its user base. The company said it had tightened security around its update distribution pipeline to ensure that future releases are approved, digitally signed, and free of unauthorized components.
Security experts advise all Hola Browser users, especially those on Windows, to update to the latest version immediately. They also recommend running a reputable antivirus solution that can detect stealthy miners and reviewing the Windows Defender exclusion list for unfamiliar entries.
The incident underscores the risk of supply‑chain attacks in the software ecosystem. Even well‑known applications can become vectors for malware if their distribution chain is compromised. Users should keep software up to date and maintain robust endpoint protection to mitigate similar threats.
At present, no further attacks have been reported against Hola Browser, and the company has not issued additional statements. The incident remains a reminder that vigilance is essential for both developers and users in the evolving landscape of digital security.
The rogue component, named hola_monitor_svc.exe, was located in the installation directory ".\Program Files\Holame\". It was unsigned, lacked a timestamp, and was not part of the browser’s approved file list. Its code was heavily obfuscated, enabling it to inject itself into system memory. The fact that the file did not appear in every installation suggested that a specific stage in Hola’s distribution pipeline had been tampered with.
Once executed, the malware added itself to the Windows Defender exclusion list, effectively bypassing the built‑in antivirus. It then replicated as HolaMonitorService.exe and set up a persistent background service named hola_monitor_svc. The service was configured to start automatically at boot and to run only when the system was idle, thereby minimizing its performance impact and reducing the chance of detection.
The miner was designed to work with Monero (XMR), a privacy‑oriented cryptocurrency that uses the CryptoNote protocol and the RandomX proof‑of‑work algorithm. Monero’s architecture allows efficient CPU mining, making it an attractive target for cryptojacking campaigns that target ordinary desktop processors. Because Monero transactions are untraceable, the illicit earnings are difficult for law‑enforcement to trace.
Hola confirmed that the supply‑chain breach affected only about 0.1 % of its user base. The company said it had tightened security around its update distribution pipeline to ensure that future releases are approved, digitally signed, and free of unauthorized components.
Security experts advise all Hola Browser users, especially those on Windows, to update to the latest version immediately. They also recommend running a reputable antivirus solution that can detect stealthy miners and reviewing the Windows Defender exclusion list for unfamiliar entries.
The incident underscores the risk of supply‑chain attacks in the software ecosystem. Even well‑known applications can become vectors for malware if their distribution chain is compromised. Users should keep software up to date and maintain robust endpoint protection to mitigate similar threats.
At present, no further attacks have been reported against Hola Browser, and the company has not issued additional statements. The incident remains a reminder that vigilance is essential for both developers and users in the evolving landscape of digital security.
