Back to Intelligence

Hola Browser Supply Chain Compromise: Cryptominer Detection and Removal

SA
Security Arsenal Team
June 4, 2026
6 min read

Security researchers have identified a critical supply chain attack targeting the Windows version of the Hola Browser. In this campaign, the legitimate update mechanism or installer for the browser was compromised to deliver an undeclared executable identified as a cryptocurrency miner. For defenders, this represents a significant failure of software integrity, affecting environments where users may have installed this VPN/proxy utility for privacy purposes. The immediate risk involves unauthorized resource consumption (CPU/GPU) and the potential for the supply chain vector to deliver more destructive payloads in the future.

Technical Analysis

  • Affected Product: Hola Browser for Windows.
  • Attack Vector: Supply Chain Compromise. The attackers manipulated the browser's delivery channel to serve a malicious update or installer alongside or instead of the legitimate binaries.
  • Payload: An undeclared executable (cryptocurrency miner).
  • CVE Identifier: None assigned. This incident is a software integrity failure rather than a specific software vulnerability exploitation (CVE). The trust in the vendor's distribution infrastructure was the primary failure point.
  • Exploitation Status: Confirmed active exploitation. The malicious binary is being delivered to users attempting to install or update the browser.

From a defensive perspective, the attack chain involves a trusted process (the browser installer or updater) spawning a child process (the miner). This technique often bypasses application allow-listing that trusts the parent binary. The miner typically establishes connections to mining pool servers using specific ports or protocols, creating a detectable network footprint despite the obfuscated delivery method.

Detection & Response

To determine if your environment has been compromised, hunt for anomalies in process lineage and network connections. Supply chain attacks like this rely on the "parent process" trust relationship; we look for the browser spawning processes that are not itself or expected system components.

YAML
---
title: Hola Browser Spawning Undeclared Suspicious Process
id: 8a1b2c3d-4e5f-6a7b-8c9d-0e1f2a3b4c5d
status: experimental
description: Detects Hola Browser or its updater spawning a process that is not the browser itself, a known dependency, or an installer, indicative of the supply chain cryptominer activity.
references:
  - https://www.bleepingcomputer.com/news/security/hola-browser-for-windows-compromised-to-deliver-cryptominer/
author: Security Arsenal
date: 2026/04/22
tags:
  - attack.execution
  - attack.t1059
  - attack.supply_chain
logsource:
  category: process_creation
  product: windows
detection:
  selection_parent:
    ParentImage|contains:
      - '\Hola Browser\'
      - '\hola_updater.exe'
      - 'hola.exe'
  selection_child:
    Image|endswith:
      - '.exe'
  filter_legit_browser:
    Image|contains:
      - '\Hola Browser\'
      - '\hola.exe'
  filter_legit_installer:
    Image|contains:
      - '\Temp\'
      - '\setup'
    CommandLine|contains:
      - '/update'
      - '/install'
condition: selection_parent and selection_child and not 1 of filter_legit*
falsepositives:
  - Legitimate user-installed extensions launching helpers (rare)
level: high
---
title: Cryptominer Network Activity from Browser Context
id: 9b2c3d4e-5f6a-7b8c-9d0e-1f2a3b4c5d6e
status: experimental
description: Detects outbound network connections on ports commonly associated with cryptocurrency mining (Stratum protocol) initiated by a browser process.
references:
  - https://www.bleepingcomputer.com/news/security/hola-browser-for-windows-compromised-to-deliver-cryptominer/
author: Security Arsenal
date: 2026/04/22
tags:
  - attack.command_and_control
  - attack.t1071.001
logsource:
  category: network_connection
  product: windows
detection:
  selection_ports:
    DestinationPort:
      - 3333
      - 4444
      - 14444
      - 3335
  selection_source:
    Image|contains:
      - 'hola.exe'
  filter_localhost:
    DestinationIp:
      - '127.0.0.1'
      - '::1'
condition: selection_ports and selection_source and not filter_localhost
falsepositives:
  - Legitimate websocket traffic to gaming servers (unlikely on these specific ports)
level: high


**KQL (Microsoft Sentinel / Defender)**

Hunt for process creation events where the Hola browser acts as a parent process to unexpected executables. This query targets the specific behavior of the supply chain payload execution.

KQL — Microsoft Sentinel / Defender
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName has "hola" 
| where ProcessFileName !contains "hola" 
| where not(ProcessFileName in~ ("conhost.exe", "cmd.exe", "powershell.exe", "WerFault.exe"))
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, ProcessFileName, ProcessCommandLine, FolderPath, SHA256
| order by Timestamp desc


**Velociraptor VQL**

This VQL artifact hunts for processes running on the endpoint that were spawned by Hola Browser. It helps responders identify the active payload execution on compromised hosts.

VQL — Velociraptor
-- Identify suspicious child processes spawned by Hola Browser
SELECT Pid, Name, CommandLine, Exe, Username,ppid
FROM pslist()
WHERE ppid IN (
    SELECT Pid FROM pslist() WHERE Name =~ "hola.exe" OR Name =~ "hola_updater.exe"
)
AND NOT Name =~ "hola"


**Remediation Script (PowerShell)**

Use this script to halt the malicious activity and remove the compromised application from the system. Note: Administrative privileges are required.

PowerShell
# Requires Administrator Privileges
Write-Host "[*] Initiating Hola Browser Incident Response Script..." -ForegroundColor Cyan

# 1. Terminate Hola Processes and potential child miners
Write-Host "[*] Terminating Hola Browser processes..." -ForegroundColor Yellow
Get-Process | Where-Object { $_.ProcessName -like "*hola*" } | Stop-Process -Force -ErrorAction SilentlyContinue

# 2. Uninstall Hola Browser via Registry/WMI
Write-Host "[*] Attempting automated uninstallation..." -ForegroundColor Yellow
$uninstallPaths = @(
    "HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*",
    "HKLM:\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*"
)

$holaApps = Get-ItemProperty $uninstallPaths -ErrorAction SilentlyContinue | Where-Object { $_.DisplayName -like "*Hola*" }

if ($holaApps) {
    foreach ($app in $holaApps) {
        Write-Host "[+] Found application: $($app.DisplayName)" -ForegroundColor Green
        if ($app.UninstallString) {
            $uninstallCmd = $app.UninstallString -replace '"', ''
            $args = ($app.UninstallString -replace $uninstallCmd, '').Trim()
            Start-Process -FilePath $uninstallCmd -ArgumentList $args -Wait -ErrorAction SilentlyContinue
        }
    }
} else {
    Write-Host "[-] Hola Browser not found in standard uninstall registry keys." -ForegroundColor Red
}

# 3. Clean up残留 Directories (User Profile and Program Files)
Write-Host "[*] Removing residual directories..." -ForegroundColor Yellow
$pathsToRemove = @(
    "$env:LOCALAPPDATA\Hola Browser",
    "$env:PROGRAMFILES\Hola Browser",
    "$env:PROGRAMFILES(X86)\Hola Browser"
)

foreach ($path in $pathsToRemove) {
    if (Test-Path $path) {
        Write-Host "[+] Removing directory: $path" -ForegroundColor Green
        Remove-Item -Path $path -Recurse -Force -ErrorAction SilentlyContinue
    }
}

Write-Host "[*] Remediation complete. Please reboot the system." -ForegroundColor Cyan

Remediation

  1. Immediate Isolation: If a host is detected mining cryptocurrency, isolate it from the network immediately to prevent lateral movement or data exfiltration (if the payload includes other capabilities).
  2. Application Removal: Uninstall the Hola Browser immediately. Do not rely on the "update" feature, as the update channel itself is the vector of compromise. Use the PowerShell script provided above or remove it via the Control Panel.
  3. System Re-imaging: Due to the nature of supply chain attacks, there is a risk that additional persistence mechanisms were established beyond the browser directory. If the security team lacks full visibility into the timeline of the compromise, re-imaging the endpoint is the safest course of action.
  4. Vendor Communication: Monitor the official Hola Browser website for a clean, signed installer. Once the vendor confirms the integrity of their build pipeline is restored and a new version is available, evaluate re-deployment only if the business case justifies the risk.
  5. Supply Chain Vetting: Update your software approval policy to require higher scrutiny for VPN/Proxy clients, as these applications often have deep system access and are high-value targets for supply chain actors.

Related Resources

Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub

incident-responseransomwarebreach-responseforensicsdfirsupply-chaincryptominingmalware

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action