{"id":30679,"date":"2026-06-22T17:47:21","date_gmt":"2026-06-22T16:47:21","guid":{"rendered":"https:\/\/www.kaspersky.co.uk\/blog\/?p=30679"},"modified":"2026-06-22T17:47:21","modified_gmt":"2026-06-22T16:47:21","slug":"hola-browser-supply-chain-attack-cryptominer","status":"publish","type":"post","link":"https:\/\/www.kaspersky.co.uk\/blog\/hola-browser-supply-chain-attack-cryptominer\/30679\/","title":{"rendered":"Hackers hijacked Hola Browser for secret crypto mining"},"content":{"rendered":"

In early June, cybersecurity researchers discovered that a compromised version of the Israel-based Hola Browser for Windows (version 1.251.91.0) was secretly downloading<\/a> a Monero crypto miner to users\u2019 devices. Shortly after the discovery, Hola confirmed that it had fallen victim to a supply chain attack. In this article, we break down how the attack went down, how the crypto miner works, and what it means for affected users.<\/p>\n

What is Hola Browser, and how was the malware discovered?<\/h2>\n

The Israeli company Hola is best known for its VPN service, which users primarily rely on to bypass geo-restrictions and access region-locked content. In addition to the VPN, the company develops Hola Browser\u00a0\u2014 a Chromium-based browser that comes with built-in VPN and proxy features.<\/p>\n

Researchers first spotted signs of trouble during a standard compliance check for the AppEsteem Windows Certified Application<\/a> program. As part of this certification process, independent cybersecurity firms audit software to ensure it only contains the components it claims to have and is free of unwanted or malicious features. Even after a certificate is granted, apps are regularly re-evaluated to ensure they continue to meet AppEsteem\u2019s strict guidelines.<\/p>\n

It was during one of these routine follow-up checks that experts noticed an unauthorized file bundling itself with version 1.251.91.0<\/em><\/strong> of Hola Browser for Windows. Once installed, the file saved itself to the hard drive at C:Program FilesHolame{.}exe<\/em><\/strong>. The file immediately raised red flags for researchers due to a laundry list of suspicious characteristics: it wasn\u2019t on the list of approved application files, lacked a timestamp, and had no digital signature. On top of that, its code was heavily obfuscated, and it possessed the ability to inject itself directly into system memory.<\/p>\n

Interestingly, researchers noted that the file didn\u2019t show up in every single installation. Because the infection wasn\u2019t widespread across all users, experts suspected early on that a specific stage in the Hola Browser distribution pipeline had been compromised. Hola later confirmed this theory, admitting it had fallen victim to a supply chain attack.<\/p>\n

As for the suspicious me{.}exe<\/em><\/strong> file itself, closer analysis revealed that it was a stealthy crypto miner configured to mine Monero. We\u2019ll now dive into the technical details of how it works.<\/p>\n

How did attackers use Hola Browser to mine Monero?<\/h2>\n

Crypto miners are programs that harness a computer\u2019s processing power to mine cryptocurrency. While some users install this software intentionally to generate a bit of income, miners that run on a machine without the owner\u2019s knowledge are typically classified as unwanted.<\/p>\n

Running a hidden miner can noticeably slow down the device, spike the user\u2019s electricity bill, and shorten the hardware\u2019s lifespan. That being said, it\u2019s worth noting that a crypto miner infection will not actually steal the owner\u2019s cryptocurrency; the damage is strictly limited to the hijackers leeching your computer\u2019s hardware resources to line their own pockets.<\/p>\n

As we mentioned above, the malicious download bundled with Hola Browser sneaked a Monero<\/a> crypto miner onto victims\u2019 devices. Launched in 2014 and built on the CryptoNote protocol, Monero currently trades at around US$330 per coin.<\/a><\/p>\n

Compared to heavyweights like Bitcoin or Ethereum, Monero is a bit exotic and lesser-known to the general public. This niche status shows in its relatively modest price growth and smaller market capitalization\u00a0\u2014 which is roughly 200 times lower than Bitcoin\u2019s. However, Monero has one defining feature: privacy. While Bitcoin and Ethereum operate on fully transparent, public blockchains, where anyone can trace transactions, Monero is a \u201cprivacy coin\u201d. It uses advanced cryptographic mechanisms to mask the sender, receiver, and transaction amounts. This extreme anonymity is exactly why hackers love hidden Monero miners<\/a>\u00a0\u2014 it makes it difficult for law enforcement and cybersecurity professionals to follow the money trail.<\/p>\n

Additionally, Monero\u2019s underlying algorithm is explicitly designed to mine efficiently using standard computer processors (CPUs). This stands in stark contrast to many other popular cryptocurrencies, which require specialized ASIC hardware or high-end graphics cards (GPUs) to be profitable.<\/p>\n

But let\u2019s look closer at how this played out with Hola Browser. When researchers dissected the malicious me{.}exe<\/em><\/strong> code, they found it was automatically adding its own files to the Microsoft Defender exclusion list. By allowlisting itself, the malware successfully blinded Windows\u2019 built-in antivirus, allowing the crypto miner to run in the background completely unhindered.<\/p>\n

Once inside, the program made a copy of itself under the name HolaMonitorService{.}exe<\/em><\/strong>, and set up a persistent Windows background service called hola_monitor_svc<\/em><\/strong>. This maneuver allowed the malware to entrench itself in the system, automatically launching every time the computer restarted. To avoid raising any red flags with sudden massive performance drops, the miner was programmed to stay dormant, kicking into gear only when the computer was idle.<\/p>\n

How to protect your device from crypto miners and malware<\/h2>\n

To their credit, Hola\u2019s development team responded swiftly to the initial reports of the suspicious file. They confirmed the supply chain breach, but stated that the incident only impacted 0.1% of their user base. The company has since tightened up security around its update distribution pipeline to guarantee that users only receive approved, certified, and digitally-signed software components moving forward.<\/p>\n

In light of this incident, we highly recommend that all Hola Browser users update to the latest version immediately\u00a0\u2014 especially those running the application on Windows.<\/p>\n

More broadly, this situation is a textbook reminder of why it\u2019s so critical to keep all your software up to date and run a\u00a0robust cybersecurity solution<\/a> on all your gadgets. For instance, Kaspersky Premium<\/a>\u00a0provides real-time alerts about suspicious software behavior and blocks threats instantly. As an added bonus, a Kaspersky Premium<\/a>\u00a0subscription includes a secure and reliable VPN<\/a>.<\/p>\n

Don\u2019t forget that malicious crypto miners don\u2019t just target PCs; they also go after smartphones, often disguising themselves as anything from popular mobile games to official government service apps. Check out our previous posts to learn more:<\/p>\n