A cryptominer operating as a persistent Windows service consumes CPU and memory resources, directly degrading endpoint performance and increasing power costs across affected machines — at scale, this translates to measurable productivity loss and infrastructure overhead. Because the attacker also disabled Windows Defender, affected endpoints operated with reduced security coverage for an unknown duration, increasing exposure to follow-on attacks. For organizations in regulated industries, the presence of unauthorized software executing on managed endpoints may trigger breach notification assessment obligations depending on applicable regulatory requirements — this should be evaluated with qualified legal counsel.
You Are Affected If
You run Hola Browser for Windows on any managed or unmanaged enterprise endpoint
Hola Browser was installed or auto-updated within the window of the confirmed compromise (specific version range not confirmed in available sources — treat all current installations as suspect)
Endpoints running Hola Browser have outbound internet access that could reach cryptomining pool infrastructure
Windows Defender is the primary endpoint protection tool on affected systems, without a secondary EDR layer to compensate for Defender exclusion tampering
Your software allowlist policy does not block unapproved browser installations on enterprise assets
Board Talking Points
A widely distributed Windows browser used by millions was weaponized to install hidden software that steals computing resources from users' machines — any employee running this browser may be affected.
IT and security teams should remove Hola Browser from all company devices immediately and scan affected systems within the next 24 hours.
Without action, affected machines continue running unauthorized software with reduced security controls, increasing the risk of additional compromise beyond the known cryptominer.
