Supply Chain Compromise Delivered XMRig-Like Miner via Hola Browser
Sophos X-Ops reported that Hola Browser version 1.251.91.0 was distributed with an undeclared executable, me.exe, discovered during an AppEsteem Windows Certified Application validation test. The file was absent from the certified component list and showed multiple suspicious characteristics, including no code signing, no timestamp, obfuscated code, memory-write capability, and behavior consistent with a cryptocurrency miner. Sophos said the preserved sample appeared to be an XMRig-based miner and detects it as Troj/GoMiner-B.
Hola said its update distribution pipeline suffered a supply chain compromise that affected about 0.1% of users, adding that it found no evidence of user data access or exfiltration. Sophos assessed the issue was more likely caused by delivery-path or pipeline variance than by a malicious fixed installer payload, and escalated the case through AppEsteem. Hola and AppEsteem said the affected delivery pipeline was halted and rebuilt, while stronger code-signing verification, tighter access controls, continuous monitoring, and a forensic investigation supported by Sygnia were put in place.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
New miner behaviors disclosed in Hola compromise analysis
Further analysis of the me.exe payload found it established persistence as the Windows service hola_monitor_svc, ran when systems were idle, and tried to evade detection by adding a Windows Defender exclusion. These details expanded the known technical behavior of the XMRig-based miner delivered through the compromised Hola Browser pipeline.
Sophos identifies preserved sample as XMRig-based miner
Sophos identified the preserved me.exe sample as an apparent XMRig-based miner and detects it as Troj/GoMiner-B. This provided technical characterization of the suspicious executable delivered with Hola Browser.
Hola and AppEsteem halt and rebuild affected delivery pipeline
According to Hola and AppEsteem, the affected delivery pipeline was halted and rebuilt following the compromise. They also implemented stronger code-signing verification, tighter access controls, and continuous monitoring.
Hola discloses supply chain compromise in update distribution pipeline
Hola stated that its update distribution pipeline had suffered a supply chain compromise affecting 0.1% of users. The company said no user data was accessed or exfiltrated and that it had engaged Sygnia to support the forensic investigation.
Sophos escalates Hola Browser finding through AppEsteem
After analyzing the unexpected executable, Sophos concluded the issue likely resulted from delivery-path or pipeline variance rather than a fixed installer payload. Sophos then escalated the matter through AppEsteem for further handling.
Sophos finds undeclared me.exe in Hola Browser validation test
During an AppEsteem Windows Certified Application validation test, Sophos X-Ops discovered an undeclared executable named me.exe being delivered alongside Hola Browser version 1.251.91.0. Sophos found the file suspicious because it was absent from the certified component list and showed traits including no code signing, no timestamp, obfuscated code, memory-write capability, and behavior consistent with a crypto-miner.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
6 references tracked. Mallory keeps watching after this page renders.
Windows-версия браузера Hola распространяла майнер - Хакер
xakep.ru
Open sourceHola Browser for Windows Delivery Pipeline Compromised to Deliver Cryptominer - Cyber Security News
cybersecuritynews.com
Open sourceHola browser supply chain attack delivers cryptocurrency miner | brief | SC Media
scworld.com
Open sourceYou do surprise me.exe: An unexpected executable in Hola Browser | SOPHOS
sophos.com
Open sourceHola Browser for Windows compromised to deliver cryptominer
bleepingcomputer.com
Open sourceYou do surprise me.exe: An unexpected executable in Hola Browser | SOPHOS
sophos.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Cryptomining Malware Uses DLL Sideloading on Pirate Sites and Fake Utility Downloads
Researchers reported two malware campaigns that install cryptocurrency miners through trojanized downloads delivered from pirate streaming sites and fake software portals. In one operation, users visiting illicit movie and TV sites were shown a bogus video-plugin update that delivered a ZIP archive containing a legitimate executable and a malicious DLL; the DLL sideloaded a multi-stage miner framework with persistence, defense evasion, a watchdog, a **RAT** component, and CPU/GPU mining modules. The malware, a modified fork of SilentCryptoMiner, used DNS tunneling for execution gating, installed a service named `GoogleUpdateTaskMachineQC`, weakened Windows defenses, injected into `conhost.exe` and `explorer.exe`, and communicated through rotating domains and infrastructure tied to `107[.]172[.]212[.]235`. Microsoft described a related cryptojacking-focused campaign aimed at owners of high-performance PCs, using fake downloads of popular utilities and hardware-monitoring tools that were promoted through SEO poisoning and, more recently, surfaced in AI assistant recommendations. Those ZIP archives also paired a legitimate executable with a malicious DLL for sideloading, then installed **ScreenConnect** for persistent remote access, set registry autoruns and scheduled tasks, added Microsoft Defender exclusions, checked for analysis tools, and used process hollowing to launch payloads inside trusted Windows processes. After profiling infected systems, the attackers fetched GPU miners including **gminer**, **lolMiner**, and **SRBMiner-MULTI**; researchers warned the access could support not only cryptomining but also data theft, lateral movement, and eventual ransomware deployment.
May 29, 2026
XMRig Miner Embedded in Ransomware and SQL Server Intrusion Campaigns
Kaspersky reported that the open-source **XMRig** Monero miner was being folded into broader malware operations, including a "ransominer" chain that monetized victims before any ransom was paid. In one observed intrusion, attackers used a generic Trojan to install administrative tools, create a new user account, enable **RDP** access, deploy **Trojan-Ransom.Win32.Crusis**, and then launch an XMRig loader so the compromised host immediately began generating cryptocurrency for the attackers. Telemetry showed more than **5,000** attempts in August 2020 to install XMRig or modified variants, with **Prometei** and **Cliptomaner** identified as major distributors. Prometei brute-forced **MS SQL** credentials, abused `xp_cmdshell` and **`CVE-2016-0099`**, and used a cross-platform **.NET Core/Apphost** loader to fetch miner payloads for Windows and Linux systems. Cliptomaner, first detected in September 2020, posed as **Realtek** audio software, was written in **AutoIT**, mined cryptocurrency, and also hijacked copied wallet addresses by replacing them with attacker-controlled ones.
Oct 1, 2020
Exposed ComfyUI Servers Hijacked for Cryptomining and Proxy Botnet Operations
Researchers reported an active campaign exploiting more than 1,000 internet-exposed **ComfyUI** instances, especially deployments running without authentication and those using unsafe custom nodes or **ComfyUI-Manager**, to gain unauthenticated remote code execution. The attackers used a purpose-built Python scanning pipeline to sweep cloud IP ranges, identify vulnerable systems, and deploy a payload known as **`ghost.sh`**, then monetized access by installing **XMRig** for Monero mining and **lolMiner** for Conflux mining while also enrolling compromised hosts into a **Hysteria v2** proxy botnet controlled through a Flask-based command-and-control panel. The operation showed extensive persistence and defense-evasion tradecraft, including fileless execution via **`memfd_create`**, process masquerading, an **`LD_PRELOAD`** rootkit for process hiding, watchdog-based restoration, scattered backups, and immutable file locking. Investigators also found reinfection mechanisms in newer scanner versions, including a fake **"GPU Performance Monitor"** custom node that re-downloads the payload every six hours and a poisoned default startup workflow that relaunches it whenever ComfyUI restarts. Infrastructure tied to **`77.110.96[.]200`** and additional SSH-linked hosts across China Mobile, DigitalOcean, and AWS suggests a broader opportunistic campaign that may overlap with activity targeting other exposed services such as Redis.
May 24, 2026