EXODIA LABS
GITHUB TWITTER
Community

Our Integration in VirusTotal

Integration of Exodia Labs' AI engine into VirusTotal's Crowdsourced AI lineup, specializing in the analysis and threat detection of Chrome extension (.CRX) files.

Our Integration in VirusTotal

Overview

Exodia Labs has been integrated into VirusTotal’s Crowdsourced AI lineup, providing an advanced AI engine specifically focused on analyzing Chrome extension (.CRX) files. This integration was officially announced in the VirusTotal Blog and complements existing AI contributors by enabling users to better understand the .CRX format and detect potential threats with high accuracy.

Capabilities within VirusTotal

The integration introduces several key capabilities to the VirusTotal platform:

  • Secondary Analysis Stream for .CRX: The Exodia Labs engine provides an independent, AI-driven analysis stream alongside other tools like Code Insight. It is designed to complement traditional detections and human analysis.
  • Clear UI Verdicts: Each report generated by Exodia Labs includes a decisive verdict (benign, suspicious, or malicious) to facilitate rapid identification of risky extensions.
  • Advanced Search in VT Intelligence: Users can utilize specific operators to search and pivot across Exodia Labs results:
    • exodialabs_ai_verdict:malicious | suspicious | benign
    • exodialabs_ai_analysis:<keywords>

Practical Application

The AI engine’s effectiveness can be observed through detailed reports available in VirusTotal (e.g., 31da559a...da30ec77 and 69c926ea...fa48d721 ).

Furthermore, verdicts can be explored at scale using VirusTotal Intelligence. For instance, executing a query for malicious extensions related to financial activity (exodialabs_ai_verdict:malicious AND exodialabs_ai_analysis:financial) yields notable findings:

  • Westpac Extension ( 34244257...bc920bdb ): Flagged as malicious. Analysis reveals the extension establishes a connection to a remote WebSocket server to exfiltrate cookies, one-time passwords, and payment tokens. It actively manipulates banking pages and forwards captured credentials to a Command and Control (C2) server, indicating severe credential theft and financial data tampering.

  • Spidy Extension ( 718eab32...d5ebcb2f ): Flagged as malicious. The engine detected anomalous behavior where the extension requests cookie permissions, executes remote crawling jobs, and silently collects user profile and bank account details, acting as a data-exfiltration client handling financial credentials omitted from its public description.

Ecosystem Impact

In addition to powering the backend results indexed in VirusTotal for security teams, the laboratory exposes a browser add-on allowing users to request an AI assessment directly from an extension’s store page, retrieving detailed behavioral reports and clear verdicts.

This collaboration aligns with the broader mission of Crowdsourced AI to aggregate independent AI solutions that explain behavior and provide judgments across diverse file types, accelerating the understanding of unfamiliar code and the detection of novel threats.