SentinelOne has found a Lua-based sabotage malware created years earlier than the infamous Stuxnet malware and designed to tamper with high-precision calculation software program.
Dubbed Fast16, the malware was referenced within the ShadowBrokers’ leak of Nationwide Safety Company (NSA) offensive instruments and was utilized in an assault in 2005. SentinelOne has discovered proof indicating that Fast16, identical to Stuxnet, might have been developed by america.
Searching for the primary use of Lua in Home windows malware, SentinelLab uncovered ‘svcmgmt.exe’, a service binary with an embedded Lua 5.0 digital machine that referenced the kernel driver ‘fast16.sys’.
Designed for pre-Home windows 7 methods, the driving force would supply management over filesystem I/O, whereas together with rule-based code patching performance that factors towards state-sponsored use.
SentinelLabs’ evaluation confirmed that svcmgmt.exe is the core part of Fast16, serving as a service module that, based mostly on command-line arguments, might run as a service, execute Lua code, and interpret a filename to spawn two instructions.
Svcmgmt.exe comprises three payloads: Lua code dealing with configuration, propagation, and coordination; an auxiliary DLL; and the kernel driver.
“By separating a relatively stable execution wrapper from encrypted, task-specific payloads, the developers created a reusable, compartmentalized framework that they could adapt to different target environments and operational objectives while leaving the outer carrier binary largely unchanged across campaigns,” SentinelLabs notes.
For propagation, it used default or weak passwords for file shares on Home windows 2000 and XP, shifting between methods by means of normal APIs. Propagation, nevertheless, is conditioned by the absence of particular vendor keys, thus stopping execution in monitored environments.
“For tooling of this age, that level of environmental awareness is notable. While the list of products may not seem comprehensive, it likely reflects the products the operators expected to be present in their target networks whose detection technology would threaten the stealthiness of a covert operation,” SentinelLabs notes.
The fast16.sys kernel driver hundreds mechanically alongside disk machine drivers, inserts itself above filesystems, disables the Home windows Prefetcher, resolves kernel APIs dynamically, and attaches itself to each filesystem machine to route related I/O Request Packets and Quick I/O paths by means of these employee units.
The driving force focuses on executable information compiled with the Intel C/C++ compiler, modifying their PE headers so as to add two further sections, enabling intensive but steady patching.
Strategic sabotage reasonably than generic espionage
Based on SentinelLabs, the patching patterns counsel the driving force was designed to hijack or affect the execution flows of precision calculation instruments utilized in civil engineering, physics, and bodily course of simulations.
Fast16’s tampering, the cybersecurity agency notes, would end in various outputs being produced, aiming for strategic sabotage.
“By introducing small but systematic errors into physical‑world calculations, the framework could undermine or slow scientific research programs, degrade engineered systems over time, or even contribute to catastrophic damage,” SentinelLabs says.
A wormable part allowed the risk to contaminate different methods on the identical community and forestall the sabotage from being found by verifying calculations on a unique machine.
“The engine relies on a compact set of just over a hundred pattern-matching rules and a small dispatch table, so it only inspects bytes that are likely to matter,” SentinelLabs notes.
The cybersecurity agency recognized three high-precision engineering and simulation suites doubtlessly focused by Fast16, specifically LS-DYNA 970, PKPM, and the MOHID hydrodynamic modeling platform, however has but to establish binaries within the driver’s crosshairs.
There’s proof that LS-DYNA has been utilized by Iran as a part of its nuclear weapons improvement program. Iran’s nuclear program was additionally focused by the Stuxnet malware created by the US and Israel.
SentinelLabs notes that the malware’s existence reveals that state‑grade cyber-sabotage capabilities had been totally developed and deployed by the mid-2000s.
“In the broader picture of APT evolution, fast16 bridges the gap between early, largely invisible development programs and later, more widely documented Lua‑ and LuaJIT‑based toolkits. It is a reference point for understanding how advanced actors think about long‑term implants, sabotage, and a state’s ability to reshape the physical world through software. fast16 was the silent harbinger of a new form of statecraft, successful in its covertness until today,” the cybersecurity agency notes.
Associated: ‘DarkSword’ iOS Exploit Equipment Utilized by State-Sponsored Hackers, Spyware and adware Distributors
Associated: Stolen Logins Are Fueling Every thing From Ransomware to Nation-State Cyberattacks
Associated: Nation-State iOS Exploit Equipment ‘Coruna’ Discovered Powering International Assaults
Associated: Cyber Insights 2026: Cyberwar and Rising Nation State Threats
