A security certification check by AppEsteem found that the Windows version of Hola Browser had been compromised in a supply chain attack: the browser’s installation package silently deployed a Monero cryptocurrency miner, which then disguised itself as a Windows system service, added itself to Windows Defender’s exclusion list, and activated only when the computer was idle to minimize detection risk.
How the Hola Browser Supply Chain Compromise Was Engineered to Avoid Detection
AppEsteem discovered the attack during a periodic security certification audit of Hola Browser on June 4. The malicious executable, named me.exe, was found installed in C:Program FilesHola — the browser’s own installation directory, where it would be treated as a legitimate browser component by both users and security tools. The miner was independently detected by Sygnia, confirming that the compromise was broad enough to surface through multiple security research workflows before formal disclosure.
The engineering choices behind me.exe reveal a deliberate effort to maximize mining uptime while minimizing the probability of user detection. The miner executes only when the computer is idle — a behavioral constraint that prevents the CPU consumption spike that typically alerts users to background processes consuming compute resources. On a machine that spends significant time idle overnight or between work sessions, this design could sustain active mining for hours without triggering any visible performance degradation.
Monero Miner’s Windows Defender Exclusion Disables OS-Level Detection
The most operationally significant evasion technique in the Hola Browser miner is not the idle-only execution pattern but the Defender exclusion: me.exe automatically created Windows Defender exclusion rules for its own files on installation. This means that the built-in OS security layer that most Windows users rely on as primary malware protection was actively disabled for the miner’s files by the miner itself — leaving no default detection path available to users who did not have a third-party security product installed.
The miner additionally carried no digital code signature and used obfuscated code, reducing its detectability by signature-based scanning. To achieve persistence across reboots, it installed itself as HolaMonitorService.exe and registered as a Windows service named hola_monitor_svc, ensuring that a system restart would restart the miner without requiring any further attacker action.
AppEsteem Discovery and Hola’s Distribution Pipeline Rebuild
Following AppEsteem’s discovery, Hola CEO Avi Raz Cohen confirmed the breach and disclosed the company’s response. Hola reported that approximately 0.1% of its Windows users were affected and stated that no evidence of user data access, theft, or compromise had been found — characterizing the attack as financially motivated through Monero mining rather than credential theft or espionage. Cohen confirmed that Hola has completely rebuilt its distribution pipeline, implemented code-signing verification across the build process, and introduced tighter access controls and continuous monitoring to prevent recurrence.
Scope Assessment and the Monero Mining Economics at Scale
The 0.1% figure Hola reported as the affected user percentage represents a small fraction of its installation base in percentage terms, but Monero mining attacks are specifically designed for scale economics: the profitability of idle-only cryptomining across a large distributed install base depends on aggregate compute time rather than individual machine performance. Even a small percentage of a widely installed browser’s user base represents substantial combined mining capacity when aggregated across machines operating overnight and between sessions.
What Windows Users Who Installed Hola Browser Should Do Now
Windows users who have Hola Browser installed should remove the application and scan for the hola_monitor_svc Windows service in the Services management console (services.msc). The presence of that service on a system that did not deliberately install it indicates the miner payload was deployed. Because me.exe created Windows Defender exclusion rules for its own directory, Defender may not flag the executable even when running a manual scan — users should also check Windows Security settings under “Virus & threat protection” > “Exclusions” for any entries pointing to the Hola installation directory and remove them before running a full system scan with a fully updated antivirus engine.
The Hola Browser incident follows a pattern of browser and developer software supply chain attacks in which trusted software distribution channels are used to deliver payloads to users who have no reason to scrutinize the installation beyond the source’s reputation.
