Hola Browser Hit by Supply Chain Attack, Delivers Cryptominer
The **Hola Browser** for Windows has been impacted by a sophisticated supply chain attack, leading to the covert installation of a **Monero** cryptocurrency miner. Discovered during routine certification checks, the compromise highlights the persistent threat of malicious code injection into trusted software distribution channels. While **Hola** states only a small fraction of users were affected, the incident underscores critical security concerns for IT professionals and privacy-conscious individuals.
### Hola Browser Compromised in Supply Chain Attack
The Windows version of the **Hola Browser** has been found compromised in a supply chain attack. This breach led to the surreptitious delivery of an undeclared executable, later identified by researchers as a cryptocurrency miner.
This compromise was initially uncovered during periodic certification checks on **Hola Browser** as part of its **AppEsteem** certification testing procedure, a standard it had previously met.
### The Hola Ecosystem: VPN and Browser
**Hola** is an Israeli company primarily known for **Hola VPN**, a service that enables users to bypass geographic restrictions by routing internet traffic through other users' devices or paid proxy infrastructure. The **Hola Browser**, built on **Chromium**, integrates this VPN and proxy functionality directly.
Historically, **Hola** and its products have faced scrutiny due to opaque traffic-handling practices, particularly concerning its commercial service, **Luminati Networks**, which controversially turned free users into proxies.
### Unpacking the Cryptominer: 'me.exe'
During recent app integrity evaluations, cybersecurity firms including **Sophos** discovered an undeclared executable named 'me.exe' being installed in some instances under `C:\Program Files\Hola\`. This file lacked certification, a timestamp, and a digital signature. Furthermore, it contained obfuscated code and exhibited memory writing capabilities.
Upon deeper examination, **Sophos** confirmed the binary's true nature as a **Monero** cryptocurrency miner. The malware was found to add a **Windows Defender** exclusion rule, copy itself to `Program Files` as 'HolaMonitorService.exe', establish an auto-starting Windows service named 'hola_monitor_svc', and activate when the host computer was idle.
### Hola's Response and Remediation Efforts
**Hola** was promptly informed of the findings by **AppEsteem** and confirmed the supply chain compromise. This breach was also independently detected by cybersecurity firm **Sygnia**.
Despite the incident, **Hola** asserts that only approximately 0.1% of its user base was affected. The company also states there is no evidence of user data access, theft, or broader compromise.
**Hola**'s CEO, **Avi Raz Cohen**, assured users of significant security enhancements: βWe have since completely rebuilt our distribution pipeline, implemented advanced code-signing verification, and introduced tighter access controls and continuous monitoring across our infrastructure.β He added, βThese measures are designed to ensure that only declared, certified, and signed components are ever delivered to our users.β
As of this publishing, requests for more information regarding the breach's origin, perpetrators, or potential impact on other platforms have not received a response from **Hola**.