Wednesday, October 01, 2025

Crowdsourced AI += Exodia Labs

We’re adding a new specialist to VirusTotal’s Crowdsourced AI lineup: Exodia Labs, with an AI engine focused on analyzing Chrome extension (.CRX) files. This complements our existing Code Insight and other AI contributors by helping users better understand this format and detect possible threats.

What you get in VirusTotal

  • Second opinion for .CRX: Exodia Labs adds another AI analysis stream alongside Code Insight. It gives a fresh, independent view on the same sample type. Like all Crowdsourced AI engines, it’s meant to complement (not replace) traditional detections and human analysis.
  • Clear verdict in the UI: Each Exodia report includes a simple verdict (benign, suspicious, or malicious) to help you quickly spot risky extensions.
  • Searchable results in VT Intelligence: You can now use new operators to search and pivot across Exodia Labs results:
    • exodialabs_ai_verdict:malicious | suspicious | benign
    • exodialabs_ai_analysis:<keywords>

See it in action

Here are a few Exodia Labs AI report examples you can explore in VT:

31da559ae4af91106e0a18740d6bb8916e2017f6a37a02ea2a8127f1da30ec77

69c926ea84536bdaba7e4f765bde65eb0199ac30be3a96729a21ea7efa48d721

You can also explore Exodia Labs verdicts at scale using VirusTotal Intelligence.

For example, the following query lists Chrome extensions flagged as malicious and related to financial activity: exodialabs_ai_verdict:malicious AND exodialabs_ai_analysis:financial


This search shows several .CRX files where Exodia Labs AI detected suspicious financial behavior.

Let’s look at two examples:

  • Westpac Extension: Exodia Labs flags it as malicious. The AI analysis shows the extension connects to a remote WebSocket server and exfiltrates cookies, one-time passwords, and payment tokens. It manipulates banking pages and forwards captured credentials to a C2, showing signs of credential theft and financial data tampering.
    34244257f633e104d06b0c4273caca96eb916d26540eeea68495707cbc920bdb

  • Spidy Extension: Also flagged as malicious. The analysis shows it requests and cookies permissions, executes remote crawling jobs, and collects user profile and bank account details. The extension behaves like a data-exfiltration client handling financial credentials not mentioned in its public description.
    718eab32b5597e479d63f1d4e6402b7844eb9a4ee01c9028e44eb202d5ebcb2f

About Exodia Labs

Exodia Labs builds AI-driven analysis for Chrome Web Store extensions, also exposing a browser add-on that lets users request an AI assessment directly from an extension’s store page and view a detailed report plus a verdict. For security teams, the same analysis powers the backend results we index in VirusTotal.

Join Crowdsourced AI

Crowdsourced AI is about aggregating independent AI solutions that explain behavior and provide judgments across many file types, helping you understand unfamiliar code faster and spot novel threats sooner. If you build AI solutions that can help the community, we want to hear from you.