How Hola Browser was weaponized to spread a Monero miner | Kaspersky official blog
A supply chain attack left some Windows users with a Monero crypto miner bundled right into their Hola Browser installation. Here is a breakdown of the incident.
AI Analysis
Technical Summary
In early June 2026, researchers discovered that a compromised version (1.251.91.0) of the Israel-based Hola Browser for Windows was distributing a Monero crypto miner via a supply chain attack. The malicious executable (me.exe) was bundled with the browser installation, lacked digital signatures, and was heavily obfuscated. It added itself to Microsoft Defender's exclusion list to evade detection and established persistence through a Windows background service named hola_monitor_svc. The miner operated stealthily, activating only when the computer was idle to avoid performance degradation alerts. Hola confirmed the supply chain compromise and has since enhanced security measures for its software distribution.
Potential Impact
Affected users unknowingly had their system resources hijacked to mine Monero cryptocurrency, leading to potential performance degradation, increased electricity consumption, and reduced hardware lifespan. The attack did not involve theft of cryptocurrency or direct data compromise but resulted in unauthorized use of computing resources. The infection was limited to approximately 0.1% of Hola Browser Windows users running version 1.251.91.0.
Mitigation Recommendations
Hola has addressed the supply chain breach by securing its update distribution pipeline to ensure only approved, digitally signed software is delivered. Users should immediately update Hola Browser to the latest version to avoid infection. Running updated antivirus solutions capable of detecting such threats is recommended. Since the vendor has confirmed remediation efforts, no additional urgent actions are required beyond updating the software.
How Hola Browser was weaponized to spread a Monero miner | Kaspersky official blog
Description
A supply chain attack left some Windows users with a Monero crypto miner bundled right into their Hola Browser installation. Here is a breakdown of the incident.
Affected software
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
In early June 2026, researchers discovered that a compromised version (1.251.91.0) of the Israel-based Hola Browser for Windows was distributing a Monero crypto miner via a supply chain attack. The malicious executable (me.exe) was bundled with the browser installation, lacked digital signatures, and was heavily obfuscated. It added itself to Microsoft Defender's exclusion list to evade detection and established persistence through a Windows background service named hola_monitor_svc. The miner operated stealthily, activating only when the computer was idle to avoid performance degradation alerts. Hola confirmed the supply chain compromise and has since enhanced security measures for its software distribution.
Potential Impact
Affected users unknowingly had their system resources hijacked to mine Monero cryptocurrency, leading to potential performance degradation, increased electricity consumption, and reduced hardware lifespan. The attack did not involve theft of cryptocurrency or direct data compromise but resulted in unauthorized use of computing resources. The infection was limited to approximately 0.1% of Hola Browser Windows users running version 1.251.91.0.
Mitigation Recommendations
Hola has addressed the supply chain breach by securing its update distribution pipeline to ensure only approved, digitally signed software is delivered. Users should immediately update Hola Browser to the latest version to avoid infection. Running updated antivirus solutions capable of detecting such threats is recommended. Since the vendor has confirmed remediation efforts, no additional urgent actions are required beyond updating the software.
Technical Details
- Article Source
- {"url":"https://www.kaspersky.com/blog/hola-browser-supply-chain-attack-cryptominer/55999/","fetched":true,"fetchedAt":"2026-06-22T17:07:43.305Z","wordCount":1500}
Threat ID: 6a396bdfeed863c81e2c312f
Added to database: 06/22/2026, 17:07:43 UTC
Last enriched: 06/22/2026, 17:07:49 UTC
Last updated: 06/22/2026, 19:29:13 UTC
Views: 8
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.