Security researchers at Sophos identified an undeclared crypto-mining executable bundled with Hola Browser during routine AppEsteem Windows Certified Application testing. The component, named me.exe, was flagged as a Potentially Unwanted Application (PUA) and exhibited multiple red flags including lack of code signing, obfuscated code, and memory-write capabilities. The file was not present in all installer distributions, suggesting inconsistencies in Hola's software delivery pipeline rather than a fixed installer payload.

Analysis revealed the binary functioned as a cryptocurrency miner based on XMRig. When executed with administrative privileges, it copied itself to the Hola program directory as HolaMonitorService.exe and created an autostart service configured to run during system idle periods. The malware also attempted to add Windows Defender exclusions to avoid detection. Sophos now detects this threat as Troj/GoMiner-B.

Hola CEO Avi Raz Cohen confirmed the incident was a supply chain compromise affecting approximately 0.1% of users. The company stated their internal security monitoring detected the anomalous activity independently, and they engaged cybersecurity firm Sygnia to conduct a forensic investigation. According to both Hola's internal review and Sygnia's findings, no user data was accessed or exfiltrated during the incident.

The discovery highlights the value of industry certification programs in identifying supply chain integrity issues. AppEsteem's testing process, which validates that shipped binaries match declared certified components, caught the discrepancy when multiple security vendors flagged the unauthorized executable. The inconsistent presence of me.exe across different test runs indicated a pipeline configuration problem rather than intentional inclusion.

Hola has since halted the affected delivery pipeline and completely rebuilt their distribution infrastructure. The company implemented advanced code-signing verification, tighter access controls, and continuous monitoring to prevent similar incidents. Organizations using Hola Browser should verify they are running the latest version and scan systems for the presence of me.exe or HolaMonitorService.exe in the Hola program directory.

Source:https://www.sophos.com/blog/you-do-surprise-me-exe-an-unexpected-executable-in-hola-browser