In 2023, security researchers discovered a widespread Telegram bot that distributed NOD32 keys. However, the bot also included a second-stage payload: a disguised as a “license activator.” Users who ran the activator gave the attacker full access to their browser cookies, crypto wallets, and saved passwords. Their antivirus (NOD32) didn’t flag it because the user had manually disabled real-time protection to “install the crack.”