Hola Browser’s Windows software distribution pipeline was compromised to silently deliver a Monero cryptominer alongside legitimate browser installations and updates. Discovered by Sophos during AppEsteem certification checks and confirmed by Sygnia, the attack employs Windows Defender exclusion injection, service masquerading, and idle-time execution to evade detection on managed endpoints.