Fast16 is a pre-Stuxnet malware that tampered with precision software and spread itself. Evidence suggests links to U.S. operations during early cyber tensions.
SentinelOne uncovered Fast16, a sabotage malware used in 2005, years before Stuxnet. The malicious code is written in Lua and targeted high-precision calculation software, altering results and spreading across systems. The malware appeared in the ShadowBrokers leak of NSA tools, and evidence suggests it may have been developed by the United States, highlighting early cyber operations linked to tensions with Iran.
Researchers traced early advanced malware design by searching for the first use of embedded Lua engines, a feature later seen in tools like Flame and Project Sauron. Lua enables modular, flexible malware without recompilation. The analysis led to a 2005 sample, svcmgmt.exe, which contained an embedded Lua VM and encrypted bytecode. Though it looked like a simple service binary, deeper analysis revealed a sophisticated implant with encryption, Windows API access, and modular design. A debug path linked it to the fast16.sys driver, tying it to the early Fast16 framework.
The carrier svcmgmt.exe acts as a modular loader, using encrypted Lua payloads and “wormlets” to spread across Windows systems via network shares, while avoiding detection by checking for security tools. It can also deploy the kernel driver for deeper control.
The fast16.sys driver loads at boot and intercepts filesystem operations, modifying executable files in memory. It targets specific programs, especially precision calculation software compiled with Intel tools, and applies rule-based patches that subtly alter results using floating-point manipulation.
“The FPU patch in fast16.sys was written to corrupt these routines in a controlled way, producing alternative outputs. This moves fast16 out of the realm of generic espionage tooling and into the category of strategic sabotage.” continues the report. “By introducing small but systematic errors into physical‑world calculations, the framework could undermine or slow scientific research programs, degrade engineered systems over time or even contribute to catastrophic damage.”
This suggests a sabotage goal rather than simple espionage, aiming to corrupt scientific or engineering outputs while remaining stealthy and persistent across infected systems.
“A sabotage operation of this kind would be foiled by verifying calculations on a separate system. In an environment where multiple systems shared the same network and security posture, the wormable carrier would deploy the malicious driver module to those systems as well, reducing the chance that an independent calculation would diverge from the corrupted output.” reads the report published by SentinelOne. “At this time, we’ve been unable to identify all of the target binaries in order to understand the nature of the intended sabotage.”
Fast16 most likely targeted high-precision engineering and simulation software used in the mid-2000s, based on pattern matching of its patching rules. The strongest candidates include LS-DYNA 970 (used for crash, explosion, and structural simulations, including sensitive defense-related research), PKPM (a widely used Chinese structural design and seismic analysis suite), and MOHID (a hydrodynamic modeling platform for coastal and environmental simulations).
Analysis of compiler artifacts inside the malware suggests it came from an older, security-focused Unix engineering culture, with traces of SCCS/RCS versioning conventions unusual in Windows malware of that era. This points to a long-running, well-resourced development effort rather than opportunistic tooling.
The overall design of fast16 combines a Lua-based carrier, a kernel-level filesystem driver, and rule-based code patching. This structure enables controlled corruption of numerical outputs in specialized simulation software, potentially altering results in fields like structural engineering, physics modeling, and environmental analysis.
“This 2005 attack is a harbinger for sabotage operations targeting ultra expensive high-precision computing workloads of national importance like advanced physics, cryptographic, and nuclear research workloads.” concludes the report. “fast16 predates Stuxnet by at least five years, and stands as the first operation of its kind. The use of an embedded customized Lua virtual machine predates the earliest Flame samples by three years.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, malware)
