{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/pua/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Hola Browser (version 1.251.91.0)"],"_cs_severities":["high"],"_cs_tags":["supply-chain-compromise","cryptomining","pua","windows","executable"],"_cs_type":"advisory","_cs_vendors":["Hola"],"content_html":"\u003cp\u003eSophos X-Ops recently uncovered a supply chain compromise affecting Hola Browser (version 1.251.91.0) during an AppEsteem certification test. An undeclared and unsigned executable, \u003ccode\u003eme.exe\u003c/code\u003e, was found bundled with the browser installer and subsequently dropped to \u003ccode\u003eC:\\Program Files\\Hola\\\u003c/code\u003e. Analysis revealed \u003ccode\u003eme.exe\u003c/code\u003e to be a crypto-miner, identified by Sophos as Troj/GoMiner-B, which included characteristics such as obfuscated code and memory-write capabilities. This compromise, affecting approximately 0.1% of Hola Browser users, was attributed to anomalous activity within Hola's update distribution pipeline. Hola has since rectified the issue, rebuilt its pipeline, and implemented enhanced security measures to prevent future occurrences, with an independent forensic investigation corroborating the supply chain compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access / Delivery\u003c/strong\u003e: Users download Hola Browser version 1.251.91.0, which, due to a supply chain compromise in Hola's distribution pipeline, includes the undeclared crypto-miner \u003ccode\u003eme.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExecution\u003c/strong\u003e: During the browser installation or initial launch, \u003ccode\u003eme.exe\u003c/code\u003e is dropped onto the system, typically in \u003ccode\u003eC:\\Program Files\\Hola\\\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence Setup\u003c/strong\u003e: \u003ccode\u003eme.exe\u003c/code\u003e copies itself to \u003ccode\u003eC:\\Program Files\\Hola\\HolaMonitorService.exe\u003c/code\u003e to masquerade as a legitimate component.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence / Service Creation\u003c/strong\u003e: The \u003ccode\u003eHolaMonitorService.exe\u003c/code\u003e binary creates a new Windows service named \u003ccode\u003ehola_monitor_svc\u003c/code\u003e, configured to automatically start and execute when the host is idle.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDefense Evasion\u003c/strong\u003e: The crypto-miner performs actions to create exclusions for itself within Windows Defender, aiming to prevent detection and termination.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eResource Hijacking\u003c/strong\u003e: Once persistent and active, the \u003ccode\u003ehola_monitor_svc\u003c/code\u003e service (running \u003ccode\u003eHolaMonitorService.exe\u003c/code\u003e), an XMRig-based crypto-miner, begins mining cryptocurrency during periods of system idleness.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact\u003c/strong\u003e: The crypto-mining activity consumes significant CPU and GPU resources, leading to degraded system performance, increased power consumption, and potentially reduced hardware lifespan for the victim.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe primary impact of this compromise was resource hijacking on affected user systems. The \u003ccode\u003eme.exe\u003c/code\u003e crypto-miner, identified as Troj/GoMiner-B, consumed CPU and GPU resources to mine cryptocurrency, leading to severe degradation in system performance, increased electricity consumption, and potential hardware wear-and-tear for the estimated 0.1% of affected users. Beyond direct system performance, the supply chain compromise eroded user trust in a widely used application and highlighted the risks inherent in software distribution channels. Although Hola reported no user data was accessed or exfiltrated, the presence of an unauthorized executable posed a significant security risk, allowing an attacker to run arbitrary code on user machines.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM for detection of \u003ccode\u003eme.exe\u003c/code\u003e execution, \u003ccode\u003eHolaMonitorService.exe\u003c/code\u003e creation, and \u003ccode\u003ehola_monitor_svc\u003c/code\u003e service registration.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon event logging for \u003ccode\u003eprocess_creation\u003c/code\u003e (Event ID 1), \u003ccode\u003efile_creation\u003c/code\u003e (Event ID 11), and \u003ccode\u003eregistry_set\u003c/code\u003e (Event ID 13) to ensure telemetry for the rules in this brief.\u003c/li\u003e\n\u003cli\u003eReview systems for the presence of \u003ccode\u003eme.exe\u003c/code\u003e (SHA256: \u003ccode\u003ee3541caf708c075f0bb22fc68b03acd8457fea7cf0732ea935b1eb016d1c7721\u003c/code\u003e) or \u003ccode\u003eHolaMonitorService.exe\u003c/code\u003e in \u003ccode\u003eC:\\Program Files\\Hola\\\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eEnsure Hola Browser installations are updated to versions released after the fix to prevent exposure to the compromised distribution pipeline.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-06-14T09:42:17Z","date_published":"2026-06-14T09:42:17Z","id":"https://feed.craftedsignal.io/briefs/2026-06-hola-browser-cryptominer/","summary":"Sophos X-Ops discovered that Hola Browser version 1.251.91.0 was distributed with an undeclared crypto-mining executable, me.exe, due to a supply chain compromise, leading to resource hijacking on affected Windows systems.","title":"You do surprise me.exe: Unexpected Crypto-Miner in Hola Browser","url":"https://feed.craftedsignal.io/briefs/2026-06-hola-browser-cryptominer/"}],"language":"en","title":"CraftedSignal Threat Feed - Pua","version":"https://jsonfeed.org/version/1.1"}