Hola Browser for Windows Compromised to Deliver Cryptominer

Security researchers have identified a supply chain attack targeting the Hola Browser for Windows that resulted in the official installer being compromised to deliver an undeclared cryptocurrency mining executable alongside the legitimate browser installation. Users who downloaded and installed Hola Browser during the compromise window may have an active cryptominer running on their systems.

What Happened?

The Windows build of Hola Browser — a privacy-focused browser with built-in VPN capabilities — was modified in what appears to be a supply chain attack affecting the official distribution channel. Rather than a phishing-based attack, the attacker gained access to the browser's build or distribution infrastructure and injected a cryptomining payload into the installer package.

Researchers identified the bundled executable as a cryptocurrency miner — software that secretly uses the victim machine's CPU or GPU resources to mine cryptocurrency for the attacker's benefit, without the user's knowledge or consent.

How the Attack Works

When a user downloads and installs the compromised Hola Browser:

1. The legitimate browser installs normally — users see no obvious signs of compromise
2. The installer also silently drops and executes the cryptomining payload in the background
3. The miner connects to the attacker's mining pool and begins consuming system resources
4. Victims may notice elevated CPU usage, increased power consumption, or system slowdowns — but have no obvious indicator of infection

This technique is particularly effective because users have high trust in installers from official browser download pages, making them unlikely to scrutinize the installation process closely.

Impact on Affected Users

Users who installed Hola Browser from the compromised distribution may be experiencing:

• Elevated CPU/GPU usage — the miner continuously consumes processor resources
• Increased energy consumption — high sustained CPU load increases power draw
• System slowdowns — legitimate applications may compete with the miner for CPU time
• Potential hardware wear — sustained high-load operation accelerates thermal cycling on processors

The cryptominer does not appear to steal credentials or data — its primary goal is resource hijacking for cryptocurrency generation — but users should treat any compromised installer as a potential vector for more severe payloads that may have been present at the same time.

Who Is Affected?

Any Windows user who downloaded and installed Hola Browser during the period the compromised installer was distributed should assume their system may have the cryptominer installed. The exact distribution window has not been publicly confirmed at time of publication.

Remediation Steps

1. Uninstall Hola Browser immediately — use Windows Settings > Add/Remove Programs and remove all Hola-related entries

2. Scan with updated antivirus — run a full system scan using updated malware definitions to detect and remove the cryptomining executable; many major AV vendors now detect this payload

3. Check running processes — look for unfamiliar processes consuming high CPU in Task Manager; terminate and investigate any suspicious entries

4. Review startup entries — check Task Scheduler and HKCU\Software\Microsoft\Windows\CurrentVersion\Run for unfamiliar startup entries that may have been added by the miner

5. Monitor for residual activity — after removal, watch CPU usage over the next 24 hours to confirm the miner is no longer active

# Check for suspicious scheduled tasks (PowerShell)
Get-ScheduledTask | Where-Object { $_.TaskPath -notlike "\Microsoft*" } | Select-Object TaskName, TaskPath, State
 
# Check common autorun locations
Get-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run"
Get-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run"

Broader Context: Browser Supply Chain Attacks

This incident follows a broader trend of attackers targeting software distribution channels to compromise users at scale. Supply chain attacks against browsers and developer tools have escalated through 2025 and into 2026 — including attacks on npm packages, VS Code extensions, and browser installer pipelines.

Unlike direct malware distribution, supply chain attacks exploit the trust users place in official download sources. When the compromise occurs at the distribution level, traditional security advice ("only download from official sources") provides no protection.

Organizations should consider:

• Verifying installer checksums against vendor-published hashes before execution
• Monitoring endpoint telemetry for unexpected processes spawned by installer executables
• Implementing application allowlisting to prevent unknown executables from running

References

• BleepingComputer — Hola Browser for Windows compromised to deliver cryptominer