Hola Browser Windows Delivery Pipeline Hijacked to Deploy Cryptominer

Hola Browser's Windows delivery pipeline intermittently installed an unsigned, obfuscated executable (me.exe) that analysis linked to crypto‑mining (XMRig indicators). The binary showed persistence behaviors (copying itself to C:\Program Files\Hola\HolaMonitorService.exe, creating an autostart service, and attempting to create Windows Defender exclusions), was classified by Sophos as Troj/GoMiner‑B and matched SHA256 e3541caf708c075f0bb22fc68b03acd8457fea7cf0732ea935b1eb016d1c7721; Hola halted the affected distribution path, engaged Sygnia, rebuilt the pipeline with stricter signing and controls, and reported ~0.1% user impact with no data exfiltration reported.