We’re adding a new specialist to VirusTotal’s Crowdsourced AI lineup: Exodia Labs, with an AI engine focused on analyzing Chrome extension (.CRX) files. This complements our existing Code Insight and other AI contributors by helping users better understand this format and detect possible threats.
What you get in VirusTotal
- Second opinion for .CRX: Exodia Labs adds another AI analysis stream alongside Code Insight. It gives a fresh, independent view on the same sample type. Like all Crowdsourced AI engines, it’s meant to complement (not replace) traditional detections and human analysis.
- Clear verdict in the UI: Each Exodia report includes a simple verdict (benign, suspicious, or malicious) to help you quickly spot risky extensions.
- Searchable results in VT Intelligence: You can now use new operators to search and pivot across Exodia Labs results:
- exodialabs_ai_verdict:malicious | suspicious | benign
- exodialabs_ai_analysis:<keywords>
See it in action
Here are a few Exodia Labs AI report examples you can explore in VT:
You can also explore Exodia Labs verdicts at scale using VirusTotal Intelligence.
For example, the following query lists Chrome extensions flagged as malicious and related to financial activity: exodialabs_ai_verdict:malicious AND exodialabs_ai_analysis:financial
This search shows several .CRX files where Exodia Labs AI detected suspicious financial behavior.
Let’s look at two examples:
- Westpac Extension: Exodia Labs flags it as malicious. The AI analysis shows the extension connects to a remote WebSocket server and exfiltrates cookies, one-time passwords, and payment tokens. It manipulates banking pages and forwards captured credentials to a C2, showing signs of credential theft and financial data tampering.
34244257f633e104d06b0c4273caca96eb916d26540eeea68495707cbc920bdb
- Spidy Extension: Also flagged as malicious. The analysis shows it requests
and cookies permissions, executes remote crawling jobs, and collects user profile and bank account details. The extension behaves like a data-exfiltration client handling financial credentials not mentioned in its public description. 718eab32b5597e479d63f1d4e6402b7844eb9a4ee01c9028e44eb202d5ebcb2f
About Exodia Labs
Exodia Labs builds AI-driven analysis for Chrome Web Store extensions, also exposing a browser add-on that lets users request an AI assessment directly from an extension’s store page and view a detailed report plus a verdict. For security teams, the same analysis powers the backend results we index in VirusTotal.
Join Crowdsourced AI
Crowdsourced AI is about aggregating independent AI solutions that explain behavior and provide judgments across many file types, helping you understand unfamiliar code faster and spot novel threats sooner. If you build AI solutions that can help the community, we want to hear from you.