The official website of South Asian University (SAU), the New Delhi based institution founded by the eight SAARC nations, was quietly turned into a launchpad for malware. A page on the university's domain (sau.int) was dressed up as a free download of the video game Doom: The Dark Ages, but anyone who followed its instructions would have infected their own Windows PC. The fake page was spotted by users on the r/hacking community and captured in screenshots reviewed by IntelFusions, with the page itself marked as updated on June 11, 2026.
A ClickFix scam in disguise
The attack is a textbook example of a technique called ClickFix, in which a web page tricks the visitor into running a malicious command by hand, sidestepping the security tools that would normally block a download. The bogus SAU page posed as a game crack or torrent, complete with cover art, a fake file checksum (labelled a SHA sum) and a fake CAPTCHA box to look legitimate. In one version reviewed by IntelFusions it then offered a Copy Script button and step by step instructions telling the visitor to open Windows PowerShell, paste the command, and press Enter, all framed as a routine verification step.
A screenshot of the malicious page on the university domain (sau.int), captured while it was live. Source: shared on r/hacking and reviewed by IntelFusions.
That command is the trap. It quietly downloads a payload from a separate, unrelated website, saves it under a Doom themed file name ending in .exe, and runs it. Because the victim launches the program themselves after pasting an official looking command, the usual antivirus prompts and browser download warnings are sidestepped. The downloaded file is the real malware, which in campaigns like this is typically an information stealer or a remote access tool.
A second variant of the same page urged visitors to copy a script into PowerShell and run it, the hallmark of a ClickFix attack. IntelFusions has redacted the malicious command and the payload address.
How it ended up on a university site
The attackers did not need to break anything sophisticated. University websites routinely let staff and students upload files, and many run older content systems with loose permissions, which hands intruders a place to drop their own pages. Commenters on the Reddit thread reported being able to reach parts of the SAU site that should not have been public, and noted that a fake crack for another game, Starfield, was sitting on the same server, signs the site had been broadly compromised and seeded with several lure pages rather than hit by a one off prank.
Why attackers love a trusted domain
The real prize is the university's reputation. A malware page hosted on a government backed institutional domain ranks higher in search results and looks far more trustworthy than a random website, so people searching for free games are more likely to find it and let their guard down. It is the same playbook behind a campaign we reported in which more than 700 education and technology websites were hijacked to serve ClickFix malware, and it echoes the lures that promise free Spotify or Windows on social media before pushing the same paste this command trick. Establishing that quiet foothold is often the first step toward a deeper intrusion.
As of writing, the specific Doom page on the SAU domain returned a 502 error, suggesting it had been taken offline or had become unstable, though that does not confirm the wider site has been cleaned. IntelFusions has reached out to South Asian University for comment and will update this article with any response.
What you should do
The single most important rule is simple: no legitimate website, download, or CAPTCHA will ever ask you to copy a command into PowerShell, the Windows Run box, or a terminal. Any page that does is trying to infect you, no matter how trustworthy the web address looks. Steer clear of pirated games and software cracks, which are a prime delivery route for this kind of malware. Website operators, and universities in particular, should lock down who can upload files, remove unused or outdated content management plugins, and routinely scan their own sites for unfamiliar pages.
Indicators of compromise
- Malicious page (now returning an error): a fake Doom: The Dark Ages crack and torrent page hosted on the sau[.]int domain
- Payload host: hxxps://tuasesoriadigital[.]es, a separate and likely compromised site serving the executable
- Dropped file name pattern: a hexadecimal prefix followed by doom_dark_x6.exe
- Decoy SHA sum displayed on the page: 55ef71b0b628ad87872cdf0dc2e2c3eb
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.