Pre-Stuxnet Sabotage Malware ‘Fast16’ Linked to US-Iran Cyber Tensions

Summary

SentinelOne uncovered Fast16, a sophisticated Lua-based sabotage malware predating Stuxnet by years, likely developed by the United States and referenced in NSA tool leaks. The malware targeted high-precision calculation software used in engineering and physics simulations, featuring kernel-level filesystem manipulation, self-propagation via weak credentials, and environmental awareness to evade detection. Evidence suggests it targeted tools used in Iran's nuclear program, representing an early example of state-sponsored cyber-sabotage designed to introduce systematic calculation errors rather than conduct traditional espionage.

Full text

SentinelOne has discovered a Lua-based sabotage malware created years before the notorious Stuxnet malware and designed to tamper with high-precision calculation software. Dubbed Fast16, the malware was referenced in the ShadowBrokers’ leak of National Security Agency (NSA) offensive tools and was used in an attack in 2005. SentinelOne has found evidence indicating that Fast16, just like Stuxnet, may have been developed by the United States. Looking for the first use of Lua in Windows malware, SentinelLab uncovered ‘svcmgmt.exe’, a service binary with an embedded Lua 5.0 virtual machine that referenced the kernel driver ‘fast16.sys’. Designed for pre-Windows 7 systems, the driver would provide control over filesystem I/O, while including rule-based code patching functionality that points toward state-sponsored use. SentinelLabs’ analysis showed that svcmgmt.exe is the core component of Fast16, serving as a carrier module that, based on command-line arguments, could run as a service, execute Lua code, and interpret a filename to spawn two commands. Svcmgmt.exe contains three payloads: Lua code handling configuration, propagation, and coordination; an auxiliary DLL; and the kernel driver.Advertisement. Scroll to continue reading. “By separating a relatively stable execution wrapper from encrypted, task-specific payloads, the developers created a reusable, compartmentalized framework that they could adapt to different target environments and operational objectives while leaving the outer carrier binary largely unchanged across campaigns,” SentinelLabs notes. For propagation, it used default or weak passwords for file shares on Windows 2000 and XP, moving between systems through standard APIs. Propagation, however, is conditioned by the absence of specific vendor keys, thus preventing execution in monitored environments. “For tooling of this age, that level of environmental awareness is notable. While the list of products may not seem comprehensive, it likely reflects the products the operators expected to be present in their target networks whose detection technology would threaten the stealthiness of a covert operation,” SentinelLabs notes. The fast16.sys kernel driver loads automatically alongside disk device drivers, inserts itself above filesystems, disables the Windows Prefetcher, resolves kernel APIs dynamically, and attaches itself to every filesystem device to route relevant I/O Request Packets and Fast I/O paths through these worker devices. The driver focuses on executable files compiled with the Intel C/C++ compiler, modifying their PE headers to add two additional sections, enabling extensive yet stable patching. Strategic sabotage rather than generic espionage According to SentinelLabs, the patching patterns suggest the driver was designed to hijack or influence the execution flows of precision calculation tools used in civil engineering, physics, and physical process simulations. Fast16’s tampering, the cybersecurity firm notes, would result in alternative outputs being produced, aiming for strategic sabotage. “By introducing small but systematic errors into physical‑world calculations, the framework could undermine or slow scientific research programs, degrade engineered systems over time, or even contribute to catastrophic damage,” SentinelLabs says. A wormable component allowed the threat to infect other systems on the same network and prevent the sabotage from being discovered by verifying calculations on a different machine. “The engine relies on a compact set of just over a hundred pattern-matching rules and a small dispatch table, so it only inspects bytes that are likely to matter,” SentinelLabs notes. The cybersecurity firm identified three high-precision engineering and simulation suites potentially targeted by Fast16, namely LS-DYNA 970, PKPM, and the MOHID hydrodynamic modeling platform, but has yet to identify binaries in the driver’s crosshairs. There is evidence that LS-DYNA has been used by Iran as part of its nuclear weapons development program. Iran’s nuclear program was also targeted by the Stuxnet malware created by the US and Israel. SentinelLabs notes that the malware’s existence shows that state‑grade cyber-sabotage capabilities had been fully developed and deployed by the mid-2000s. “In the broader picture of APT evolution, fast16 bridges the gap between early, largely invisible development programs and later, more widely documented Lua‑ and LuaJIT‑based toolkits. It is a reference point for understanding how advanced actors think about long‑term implants, sabotage, and a state’s ability to reshape the physical world through software. fast16 was the silent harbinger of a new form of statecraft, successful in its covertness until today,” the cybersecurity firm notes. Related: ‘DarkSword’ iOS Exploit Kit Used by State-Sponsored Hackers, Spyware Vendors Related: Stolen Logins Are Fueling Everything From Ransomware to Nation-State Cyberattacks Related: Nation-State iOS Exploit Kit ‘Coruna’ Found Powering Global Attacks Related: Cyber Insights 2026: Cyberwar and Rising Nation State Threats Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire Cloudsmith Raises $72 Million in Series C FundingRilian Raises $17.5 Million for AI-Native Security OrchestrationLuxury Cosmetics Giant Rituals Discloses Data BreachApple Patches iOS Flaw Allowing Recovery of Deleted ChatsRecent Microsoft Defender Vulnerability Exploited as Zero-DayNew Wiper Malware Targeted Venezuelan Energy Sector Prior to US Intervention Mirai Botnet Targets Flaw in Discontinued D-Link RoutersNorth Korean Hackers Use AppleScript, ClickFix in Fresh macOS Attacks Latest News In Other News: Unauthorized Mythos Access, Plankey CISA Nomination Ends, New Display Security DeviceWhy Cybersecurity Must Rethink Defense in the Age of Autonomous AgentsLocked Shields 2026: 41 Nations Strengthen Cyber Resilience in World’s Biggest ExerciseUS Federal Agency’s Cisco Firewall Infected With ‘Firestarter’ BackdoorTrump Administration Vows Crackdown on Chinese Companies ‘Exploiting’ AI Models Made in USVulnerabilities Patched in CrowdStrike, Tenable ProductsBitwarden NPM Package Hit in Supply Chain AttackCopperhelm Raises $7 Million for Agentic Cloud Security Platform Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: A Step-by-Step Approach to AI Governance April 28, 2026 With "Shadow AI" usage becoming prevalent in organizations, learn how to balance the need for rapid experimentation with the rigorous controls required for enterprise-grade deployment. Register Virtual Event: Threat Detection and Incident Response Summit May 20, 2026 Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization. Register People on the MoveNeill Feather has been named Chief Executive Officer at Point Wild.Oasis Security has appointed Michael DeCesare as President.Sterling Wilson has joined IGEL as Global Field CTO, Business Continuity and Disaster Recovery.More People On The MoveExpert Insights Why Cybersecurity Must Rethink Defense in the Age of Autonomous Agents From autonomous code generation to decision-making systems that initiate actions without human intervention, the industry is entering a new phase. (Torsten George) Government Can’t Win the Cyber War Without the Private Sector Securing national resilience now depends on faster, deeper partnerships with the private sector. (Steve Durbin) The Hidden ROI of Visibility: Better Decisions, Better Behavior, Better Security Beyond monitoring and compliance, visibility acts as a powerful deterrent, shaping user behavior, improving collaboration, and enabling more accurate, data-driven security decisions. (Joshua Goldfarb) The

Indicators of Compromise

• malware — Fast16
• malware — svcmgmt.exe
• malware — fast16.sys

Entities