Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: cryptominer (1 article)Clear

Hola Browser for Windows compromised in supply-chain attack delivering undeclared Monero miner disguised as HolaMonitorService.exe

The Windows version of the Chromium-based Hola Browser has been compromised in a supply-chain attack that delivered an undeclared cryptocurrency miner. The compromise was caught during AppEsteem certification checks, with Sophos and others finding an uncertified, unsigned, obfuscated executable, me.exe, under C:\Program Files\Hola\. Analysis identified it as a Monero miner: it adds a Windows Defender exclusion, copies itself to Program Files as HolaMonitorService.exe, creates an auto-starting service named hola_monitor_svc, and runs when the machine is idle. Hola - the Israeli company behind Hola VPN, long controversial for turning free users into proxies - confirmed the compromise (independently detected by Sygnia) but says only about 0.1% of users were affected.

Check
Inventory Windows endpoints for Hola Browser installs. Check for me.exe or HolaMonitorService.exe under C:\Program Files\Hola\, the hola_monitor_svc service, and Defender exclusion rules. Hunt for Monero-miner traffic.
Affected
Windows users who installed or updated Hola Browser during the compromise window. The undeclared Monero miner adds a Defender exclusion, persists as a service, and runs when idle.
Fix
Remove Hola Browser and the me.exe / HolaMonitorService.exe miner, delete the hola_monitor_svc service, and remove the malicious Defender exclusion. Block the mining pool and monitor for residual persistence.