Full Report
The Windows version of the Hola Browser has been compromised in a supply chain attack that delivered an undeclared executable identified by researchers as a cryptocurrency miner. [...]
Analysis Summary
# Incident Report: Hola Browser Supply Chain Compromise
## Executive Summary
The Windows version of the Hola Browser was compromised in a supply chain attack, leading to the distribution of a persistent cryptocurrency miner to approximately 0.1% of its user base. The malicious executable ("me.exe") was discovered during third-party app integrity certification checks by Sophos and AppEsteem. Hola has since rebuilt its distribution pipeline and implemented stricter security controls to prevent unauthorized code injection.
## Incident Details
- **Discovery Date:** June 2024 (reported June 4, 2026)
- **Incident Date:** Ongoing until discovery in early June 2024
- **Affected Organization:** Hola (Israeli VPN/Browser provider)
- **Sector:** Technology / Software Development
- **Geography:** Global distribution (0.1% of users affected)
## Timeline of Events
### Initial Access
- **Date/Time:** Undisclosed (Prior to June 2024)
- **Vector:** Supply Chain Compromise
- **Details:** Attackers gained access to Hola’s distribution pipeline, allowing them to bundle an undeclared, unsigned executable ("me.exe") with the legitimate browser installation.
### Lateral Movement
- **Details:** Information not disclosed regarding the attackers' movement within Hola’s internal corporate network; the focus remained on the delivery mechanism to end-users.
### Data Exfiltration/Impact
- **Impact:** System resource hijacking. The malicious file installed a Monero miner that activated during system idle time.
- **Data Theft:** According to Hola, there is no evidence of user data access or theft.
### Detection & Response
- **Discovery:** Detected by Sophos and AppEsteem during periodic "AppEsteem certification" integrity checks and independently by cybersecurity firm Sygnia.
- **Response:** Hola identified the breach point, cleaned the distribution pipeline, and notified users.
## Attack Methodology
- **Initial Access:** Supply Chain Injection (Distribution Pipeline).
- **Persistence:** Created an auto-starting Windows service named `hola_monitor_svc`.
- **Privilege Escalation:** Not specified, though the ability to write to Program Files and modify Windows Defender rules suggests high-level permissions.
- **Defense Evasion:** Code obfuscation; no digital signature/timestamp; added Windows Defender exclusion rules; renamed execution file to `HolaMonitorService.exe`.
- **Credential Access:** None reported.
- **Discovery:** Monitored system state to detect "idle" status before running.
- **Lateral Movement:** N/A (Endpoint execution).
- **Collection:** N/A.
- **Exfiltration:** Monero mining results sent to attacker-controlled pools.
- **Impact:** Resource exhaustion (Cryptojacking).
## Impact Assessment
- **Financial:** High operational costs for remediation; potential loss of revenue from uninstalled users.
- **Data Breach:** None reported; no evidence of PII/credential compromise.
- **Operational:** Disruption of the software distribution pipeline and forced complete rebuild of infrastructure.
- **Reputational:** High; adds to existing controversy regarding Hola's past traffic-handling practices.
## Indicators of Compromise
- **File indicators:**
- `me.exe` (Found in `C:\Program Files\Hola\`)
- `HolaMonitorService.exe`
- **Behavioral indicators:**
- Creation of Windows Service: `hola_monitor_svc`
- Modification of Windows Defender exclusion list.
- High CPU usage during system idle periods.
## Response Actions
- **Containment:** Removal of the compromised version from distribution servers.
- **Eradication:** Rebuilt the entire software distribution pipeline.
- **Recovery:** Implementation of advanced code-signing verification and tighter access controls.
- **Monitoring:** Introduced continuous monitoring across infrastructure to ensure only certified components are delivered.
## Lessons Learned
- **Key Takeaways:** Even "certified" software can be compromised post-certification, highlighting the need for continuous integrity monitoring rather than point-in-time checks.
- **Weaknesses:** The distribution pipeline lacked sufficient automated verification of binary signatures before deployment to the production environment.
## Recommendations
- **Binary Integrity:** Implement mandatory automated SHA-256 hash verification and digital signature checks for all files in the installer package.
- **CI/CD Security:** Enforce Multi-Factor Authentication (MFA) and "Four-Eyes" approval for all changes to the build and distribution environments.
- **Endpoint Protection:** Use EDR solutions to monitor for unauthorized service creation and modifications to Windows Defender exclusion paths.