Researchers Uncover Pre-Stuxnet ‘fast16’ Malware Targeting Engineering Software

Researchers Uncover Pre-Stuxnet ‘fast16’ Malware Targeting Engineering Software

Cybersecurity researchers at SentinelOne have discovered a previously undocumented malware framework called fast16 that dates back to 2005. The Lua-based implant was designed to sabotage high-precision engineering and simulation software by introducing systematic errors into mathematical calculations. The malware was uncovered after SentinelOne identified an artifact named svcmgmt.exe that contained an embedded Lua 5.0 virtual machine and encrypted bytecode.

The framework includes a kernel driver called fast16.sys that intercepts and modifies executable code as it is read from disk, specifically targeting software compiled with the Intel C/C++ compiler. It performs rule-based patching to corrupt calculations in tools used for civil engineering, physics, and physical process simulations. SentinelOne identified three likely target suites: LS-DYNA 970, PKPM, and the MOHID hydrodynamic modelling platform. The sample also contains a Service Control Manager wormlet that can propagate across Windows 2000/XP environments with weak credentials, and it checks for the presence of security products from vendors including Kaspersky, McAfee, and Microsoft.

SentinelOne linked the malware to a reference found in a text file called drv_list.txt that was leaked by The Shadow Brokers in 2017. The Shadow Brokers published data allegedly stolen from the Equation Group, an advanced persistent threat group with suspected ties to the U.S. National Security Agency. The string fast16 in the leaked file provided the key forensic link connecting the 2005 malware to the NSA operator deconfliction signatures. The discovery makes fast16 the first known strain of Windows malware to embed a Lua engine.

The fast16 discovery forces a re-evaluation of the historical timeline for state-backed cyber sabotage operations. It demonstrates that sophisticated tooling targeting physical infrastructure had been fully developed and deployed by the mid-2000s, predating Stuxnet by at least five years and Flame by even longer. This finding underscores how long advanced actors have been developing covert capabilities to reshape the physical world through software, and it serves as a reminder that historical assessments of cyber warfare capabilities may need significant revision.

Click here for the original article.