You do surprise me.exe: An unexpected executable in Hola Browser

During review work related to an AppEsteem Windows Certified Application test, Sophos X-Ops recently identified an unexpected executable delivered alongside Hola Browser (version 1.251.91.0). The executable, me.exe, was not listed as a certified component, and appears to be a crypto-miner.

After the issue was reported through the certification program, Hola reported that they had fixed their delivery pipeline, removing the condition that led to the undeclared component being bundled with Hola Browser.

A surprise guest

AppEsteem’s Windows Certified Application tests are a fairly routine – but important – validation exercise, designed to ensure that shipped binaries match the declared, certified footprint and are appropriately classified by security vendors.

Founded in 2016, AppEsteem is an AMTSO-certified organization that maintains an industry-derived list of good and bad software behaviors. It certifies products that don’t behave deceptively or maliciously, and calls out products that do.

AppEsteem conducts periodic tests in which certified products are validated against multiple independent security vendors. Sophos is one of several vendors that participates in these tests. During one such test, the following hashes were listed as certified for the Hola Browser installer:

• SHA256: 174086534a2de730058465a4a4e231ce3778ab17ebebfd7f62b3bf9750bc7bdb
• SHA1: 8046735d354814bf9ef9a053cb9cad8cfec261f2
• MD5: 8462f61e68b37d220eab2462b3cbcec8

AppEsteem had certified the product after verifying that it didn’t perform any unexpected or unwanted behaviors.

However, when they tested it against several security products, we (and a few other vendors) detected one of the components written to disk – C:\Program Files\Hola\me.exe – as a Potentially Unwanted Application (PUA).

On initial investigation of this binary, we identified a number of potential concerns:

• The file was not listed as a certified component
• It was not code signed
• It had no timestamp
• It contained obfuscated code
• It had memory‑write capability

Individually, these characteristics don’t necessarily indicate malicious intent – but, taken together, they describe exactly the kind of artifact that shouldn’t be appearing in a certified application’s directory.

The binary, and its presence in that directory, hinted at a pipeline problem – particularly as AppEsteem did not see the file in every third-party test run. That ruled out a simple ‘fixed installer payload’ explanation, instead suggesting delivery-path variance: something dependent on build channel, packaging, post-install fetch, CDN behavior, and/or release pipeline configuration.

In other words, certification validated one snapshot of Hola Browser, but the pipeline delivered more than that snapshot, in at least some cases, suggesting an issue with supply chain integrity.

We escalated the issue to AppEsteem, and through them, we understand that Hola confirmed that me.exe was not supposed to be delivered by their installer.

We approached Hola for any comments. Avi Raz Cohen, CEO of Hola, responded as follows: 

“Our internal security monitoring detected anomalous activity within our update distribution pipeline, and we acted immediately. We are also grateful to Sophos X-Ops and AppEsteem, whose independent certification testing identified and escalated the same issue, this kind of collaborative security ecosystem is exactly what benefits vendors, researchers, and end users alike, and their diligence is appreciated. Upon detection, our first priority was to halt the affected delivery pipeline and eliminate the unwanted software from our infrastructure and from any impacted devices. We take the integrity of our distribution pipeline with the utmost seriousness, and the presence of any undeclared component, regardless of its origin, is unacceptable to us. We engaged Sygnia, an independent cybersecurity firm, to conduct a thorough forensic investigation alongside our own internal review. Sygnia’s findings corroborated our own: this was a supply chain compromise, and critically, no user data was accessed, exfiltrated, or compromised at any point during this incident affecting 0.1% of users. We have since completely rebuilt our distribution pipeline, implemented advanced code-signing verification, and introduced tighter access controls and continuous monitoring across our infrastructure. These measures are designed to ensure that only declared, certified, and signed components are ever delivered to our users. We thank Sophos, AppEsteem, and the broader security research community for their continued vigilance. This collaboration makes the software ecosystem safer for everyone.”

Here’s looking at me.exe

Separately from the AppEsteem finding, we captured the same anomalous artifact in our telemetry (SHA256: e3541caf708c075f0bb22fc68b03acd8457fea7cf0732ea935b1eb016d1c7721), and preserved it for analysis.

This binary appears to be a crypto-miner. It performs a Windows Defender exclusion, and contains several strings relating to crypto-mining activity:

• “killed orphan miner pid %d”
• “user active, stopping miner”
• “m/cmd/xmrig-idle” (a Go module path indicating an XMRig-based miner)

When executed with administrative privileges, the binary copies itself to C:\Program Files\Hola\HolaMonitorService.exe, and creates a service with the name hola_monitor_svc, configured to autostart and run when the host is idle.

The Sophos protection relating to this binary is Troj/GoMiner-B.

Patching the pipeline

After we raised this matter with AppEsteem, and AppEsteem raised it to Hola, AppEsteem informed us that Hola had fixed their delivery pipeline. 

That outcome is the best possible resolution in this kind of case: a suspected integrity problem was surfaced, validated, and fixed upstream, before it could turn into something worse.

One of the reasons why certification tests – and investigating any unexpected results that arise from them – is so important is that pipelines should deliver only declared, certified, signed components, and the resulting install footprints should be consistent across test runs and deployment paths.

When one or more of those conditions is violated, something may have gone wrong, and escalation is warranted.

Industry certification programs play a role in surfacing these kinds of issues. When unexpected artifacts are identified, the priority is to investigate quickly and resolve the root cause, as happened here.

Acknowledgments

Sophos X-Ops would like to thank all parties involved for their cooperation and timely responses during this incident.