Pre-Stuxnet Fast16 Malware Tampered with Nuclear Weapons Simulations

Summary

Security researchers from Symantec and Carbon Black have confirmed that the Lua-based Fast16 malware, discovered in 2017 Shadow Brokers leaks, was a nation-state cyber sabotage tool designed to corrupt uranium-compression simulations used in nuclear weapons research. The malware predates Stuxnet by approximately two years (circa 2005) and features 101 rules targeting high-explosive detonation simulations in LS-DYNA and AUTODYN software, with selective activation based on material density thresholds consistent with uranium compression. The discovery reveals that strategic industrial sabotage via malware was conducted by state-sponsored actors at least two decades ago, establishing a precedent for the later Stuxnet operation against Iran's nuclear enrichment facilities.

Full text

Pre-Stuxnet Fast16 Malware Tampered with Nuclear Weapons Simulations Ravie LakshmananMay 18, 2026Industrial Sabotage / Malware A new analysis of the Lua-based fast16 malware has confirmed that it was a cyber sabotage tool designed to tamper with nuclear weapons testing simulations. According to Broadcom-owned Symantec and Carbon Black teams, the pre-Stuxnet tool was engineered to corrupt uranium-compression simulations that are central to nuclear weapon design. "Fast16's hook engine is selectively interested in high-explosive simulations inside LS-DYNA and AUTODYN," the Threat Hunter Team said. "The malware checks for the density of the material being simulated and only acts when that value passes 30 g/cm³, the threshold uranium can only be reached under the shock compression of an implosion device. The development comes weeks after SentinelOne presented an analysis of fast16, describing it as the first sabotage framework whose components may have developed as early as 2005, predating the earliest known version of Stuxnet (aka Stuxnet 0.5) by two years. Evidence unearthed by the cybersecurity company included a reference to the string "fast16" in a text file that was leaked by an anonymous hacking group called The Shadow Brokers in 2017. The file was part of a huge tranche of hacking tools and exploits allegedly used by the Equation Group, a state-sponsored threat actor with suspected ties to the U.S. National Security Agency (NSA). At its core, the industrial sabotage malware features a set of 101 rules to tamper with mathematical calculations carried out by certain engineering and simulation programs that were prevalent at the time. Although the exact binaries that are patched by the malware is unclear, SentinelOne identified three probable candidates: LS-DYNA version 970, Practical Structural Design and Construction Software (PKPM), and Modelo Hidrodinâmico (MOHID). Symantec's latest analysis has now confirmed that LS-DYNA and AUTODYN are the two applications targeted by fast16, adding it was designed explicitly to interfere with simulations of high-explosive detonations, almost certainly to facilitate sabotage against nuclear weapons research. "Both are software applications used to simulate real-world problems such as vehicle crashworthiness, material modelling, and explosive simulation," Symantec and Carbon Black said. "The hooks fast16 places inside of the simulation program consist of three attack strategies. The tampering only activates during full-scale transient blast and detonation runs." The 101 hook rules can be categorized further into 9-10 hook groups, each targeting different builds of LS-DYNA or AUTODYN, suggesting that the developers of the malware were keeping track of software updates and adding support for different versions over time. This points to a methodical and sustained operation. "If hook rule groups were added sequentially as needed, we see a hook group added for a previous version of the software after a newer version," researchers explained. "One may imagine, the simulation user reverted to an older version when faced with the anomaly, before that version was also targeted. Secondly, the hook groups represent up to 10 different versions of simulation software, meaning the simulation user updates versions semi-frequently. Fast16 is crafted such that it will not infect computers that have certain security products installed. It also automatically spreads to other endpoints on the same network, so that any machine that's used to run the simulations will generate the same tampered outputs. The findings indicate that strategic industrial sabotage using malware was being conducted by nation-state actors as far back as 20 years ago, well before Stuxnet was used to damage uranium enrichment centrifuges at Iran's nuclear plant in Natanz by injecting malicious code into Siemens programmable logic controllers. Speaking to cybersecurity journalist Kim Zetter, Vikram Thakur, technical director for Symantec, said the level of expertise and understanding required to design such a malware in 2005 is "mind-blowing." That said, it's not known if a modern-day version of fast16 exists in the wild. "That degree of domain knowledge, such as understanding which EOS [Equation of State] forms matter, which calling conventions are produced by which compilers, and which classes of simulation will or will not trip the gate, is unusual in any era and was very unusual in 2005," Symantec and Carbon Black said. "The framework belongs to the same conceptual lineage as Stuxnet, in which malware was tailored not just to a vendor's product but to a specific physical process being simulated or controlled by that product." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  Carbon Black, cybersecurity, Equation Group, Industrial Sabotage, Malware, SentinelOne, Simulation Software, Stuxnet, Symantec ⚡ Top Stories This Week Ollama Out-of-Bounds Read Vulnerability Allows Remote Process Memory Leak Four OpenClaw Flaws Enable Data Theft, Privilege Escalation, and Persistence On-Prem Microsoft Exchange Server CVE-2026-42897 Exploited via Crafted Email Cisco Catalyst SD-WAN Controller Auth Bypass Actively Exploited to Gain Admin Access ThreatsDay Bulletin: PAN-OS RCE, Mythos cURL Bug, AI Tokenizer Attacks, and 10+ Stories Windows Zero-Days Expose BitLocker Bypasses And CTFMON Privilege Escalation New Fragnesia Linux Kernel LPE Grants Root Access via Page Cache Corruption 18-Year-Old NGINX Rewrite Module Flaw Enables Unauthenticated RCE Microsoft's MDASH AI System Finds 16 Windows Flaws Fixed in Patch Tuesday [Webinar] How Modern Attack Paths Cross Code, Pipelines, and Cloud Microsoft Patches 138 Vulnerabilities, Including DNS and Netlogon RCE Flaws New Exim BDAT Vulnerability Exposes GnuTLS Builds to Potential Code Execution Mini Shai-Hulud Worm Compromises TanStack, Mistral AI, Guardrails AI and More Packages cPanel CVE-2026-41940 Under Active Exploitation to Deploy Filemanager Backdoor ⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and More Hackers Used AI to Develop First Known Zero-Day 2FA Bypass for Mass Exploitation ⭐ Featured Resources [Webinar] Learn How to Handle Critical SOC Alerts With AI Support Identify Internal Attack Surfaces More Efficiently With a Free Assessment [eBook] Get the 3-Number SOC Diagnostic to Reduce Queue Risk [Guide] Stop Email Fraud Before It Turns Into Ransomware Damage

Indicators of Compromise

• malware — Fast16
• malware — Stuxnet

Entities