Researchers Discover Pre-Stuxnet ‘fast16’ Malware Targeting Engineering Software

Cybersecurity researchers have discovered a Lua-based malware developed years before the infamous Stuxnet worm that aimed to destroy Iran’s nuclear program by destroying uranium enrichment centrifuges.

According to a new report published by SentinelOne, an undocumented cyber-destruction scheme began in 2005, targeting precision computing software to disrupt results. Named in code fast16.

“By combining this payload with self-distribution methods, attackers aim to generate the same inaccurate statistics across the entire facility,” said researchers Vitaly Kamluk and Juan Andrés Guerrero-Saade in a comprehensive report published this week.

Fast16 is considered a precursor to Stuxnet, the first known digital weapon designed for disruptive actions, and which served as the basis for the Duqu data-stealing rootkit, for at least five years. Stuxnet is widely believed to have been developed by the US and Israel.

It also predates the first known samples of Flame (also known as Flamer and Skywiper), another sophisticated malware discovered in 2012, which incorporates the Lua virtual machine to achieve its goals. The discovery makes fast16 the first Windows malware to embed the Lua engine.

SentinelOne said it discovered this after identifying an artifact called “svcmgmt.exe” that, at first, appeared to be a standard console mode service wrapper. The sample has a file creation timestamp of August 30, 2005, per VirusTotal, where it was uploaded more than a decade later on October 8, 2016.

However, a deeper investigation revealed an embedded Lua 5.0 machine and an encrypted bytecode container, as well as various other modules that integrate directly into the Windows NT file system, registry, service control, and network APIs.

The implant’s core logic resides in Lua bytecode, where the binary also refers to the kernel driver (“fast16.sys”) in the form of a PDB – a file with a creation date of July 19, 2005 – which is responsible for blocking and correcting the executable code as it is read from disk. That said, it’s important to note that the driver won’t work on systems with Windows 7 or later.

In a finding that could provide an indication of the origin of the tool, SentinelOne said it found a reference to the string “fast16” in a text file called “drv_list.txt” that includes a list of drivers designed for use in advanced persistent (APT) attacks. The approximately 250KB file was leaked by a mysterious hacking group nine years ago.

In 2016 and 2017, the group – calling itself the Shadow Brokers – published a trove of data allegedly stolen from the Equation Group, a leading progressive terror group suspected of having ties to the US National Security Agency (NSA). This includes a number of hacking and exploit tools under the nickname “Lost in Translation.” A text file was one of them.

“The thread within svcmgmt.exe provided the primary link of inquiry in this investigation,” SentinelOne said. “The PDB trail connects the 2017 leak of signatures used by NSA operators with a Lua-powered multi-state ‘carrier’ module assembled in 2005, and finally its hidden payload: a kernel driver designed to destroy with precision.”

“Svcmgmt.exe” is described as a “highly adaptable carrier module” that can change its behavior based on command-line arguments passed to it, run it as a Windows service or run Lua code. It comes with three different payloads: Lua bytecode to handle configuration and distribution and linking logic, a helper ConnotifyDLL (“svcmgmt.dll”), and a kernel driver “fast16.sys”.

Specifically, it is designed to analyze configurations, grow itself as a service, selectively deploy a kernel implant, and launch a Service Control Manager (SCM) wormlet that scans network servers and distributes malware to other Windows 2000/XP environments with weak or default credentials.

An important point to mention here is that the spread only occurs when it is manually enforced, or standard security products are not found in the system by scanning the Windows Registry database for related registry keys. Some of the security tools it tests are apparently Agnitum, F-Secure, Kaspersky, McAfee, Microsoft, Symantec, Sygate Technologies, and Trend Micro.

The presence of Sygate Technologies is another indication that the sample was established in the mid-2000s, as the company was acquired by Symantec, now part of Broadcom, in August 2025, and the sale and support of its products was officially terminated in November.

“For devices of this age, that level of environmental awareness is remarkable,” SentinelOne said. “Although the list of products may not seem complete, it shows the products that operators expect to have in their networks that their detection technology can threaten the subtleties of the stealth operation.”

ConnotifyDLL, on the other hand, is invoked every time the system establishes a new network connection using the Remote Access Service (RAS), and writes the remote and local connection names to the named pipe (“\.pipep577”).

However, it is the driver that is responsible for precise destruction, an executable target that is integrated with the Intel C/C++ compiler to perform rule-based debugging and execution flow of the jack through malicious code injections. One such block is capable of corrupting mathematical calculations, especially following tools used in civil engineering, physics, and the simulation of physical processes.

“By introducing small but systematic errors in global calculations, the framework can undermine or delay scientific research programs, disrupt engineering systems over time, or contribute to catastrophic damage,” SentinelOne explained.

“By separating the stable execution wrapper from the encrypted, mission-specific payload, engineers have created a reusable, disparate framework that they can adapt to different target scenarios and operational objectives while leaving the external carrier largely unchanged across campaigns.”

Based on the analysis of the 101 rules defined in the modification engine and compared to the software used in the mid-2000s, it is evaluated that three high-precision engineering and simulation suites may be the target: LS-DYNA 970, PKPM, and the MOHID hydrodynamic modeling platform.

LS-DYNA, now part of the Ansys Suite, is a multi-purpose physics simulation software package used to simulate crashes, impacts, and explosions. In September 2024, the Institute for Science and International Security (ISIS) issued a report detailing Iran’s use of computer modeling software such as LS-DYNA related to nuclear weapons development based on an examination of 157 academic publications found in open source scientific and engineering journals.

This series of evidence takes on importance considering that Iran’s nuclear program is said to have suffered significant damage after its uranium enrichment facility in Natanz was targeted by the Stuxnet worm in June 2010. In addition, Symantec revealed in February 2013 an earlier version of Reader that was used to attack Iran’s nuclear program on November 200 as evidence in early November 20dic. 2005.

“Stuxnet 0.5 is the oldest version of Stuxnet to be analyzed,” Symantec noted at the time. “Stuxnet 0.5 contained another attack strategy, closing valves inside the uranium enrichment facility in Natanz, Iran, which would have caused significant damage to the centrifuges and the uranium enrichment system as a whole.”

Taken together, the latest findings “force a re-examination” of the historical timeline for the development of clandestine cyber sabotage activities, SentinelOne said, adding that it shows that government-sponsored cyber sabotage tools against visible targets were fully developed and deployed by the mid-2000s.

“In the broader picture of the evolution of APT, fast16 bridges the gap between the early, mostly abstract development programs and the later, Lua‑ and LuaJIT-based tools that are widely documented,” the researchers concluded. “It is a point of understanding how progressive actors think about long-term installation, destruction, and the ability of the landscape to reshape the virtual world through software. fast16 was a silent precursor to a new kind of landscape art, successful in its obscurity until today.”