SentinelOne has discovered a Lua-based sabotage malware created years before the notorious Stuxnet malware and designed to tamper with high-precision calculation software.
Dubbed Fast16, the malware was referenced in the ShadowBrokers’ leak of National Security Agency (NSA) offensive tools and was used in an attack in 2005. SentinelOne has found evidence indicating that Fast16, just like Stuxnet, may have been developed by the United States.
Looking for the first use of Lua in Windows malware, SentinelLab uncovered ‘svcmgmt.exe’, a service binary with an embedded Lua 5.0 virtual machine that referenced the kernel driver ‘fast16.sys’.
Designed for pre-Windows 7 systems, the driver would provide control over filesystem I/O, while including rule-based code patching functionality that points toward state-sponsored use.
SentinelLabs’ analysis showed that svcmgmt.exe is the core component of Fast16, serving as a carrier module that, based on command-line arguments, could run as a service, execute Lua code, and interpret a filename to spawn two commands.
Svcmgmt.exe contains three payloads: Lua code handling configuration, propagation, and coordination; an auxiliary DLL; and the kernel driver.
“By separating a relatively stable execution wrapper from encrypted, task-specific payloads, the developers created a reusable, compartmentalized framework that they could adapt to different target environments and operational objectives while leaving the outer carrier binary largely unchanged across campaigns,” SentinelLabs notes.
For propagation, it used default or weak passwords for file shares on Windows 2000 and XP, moving between systems through standard APIs. Propagation, however, is conditioned by the absence of specific vendor keys, thus preventing execution in monitored environments.
“For tooling of this age, that level of environmental awareness is notable. While the list of products may not seem comprehensive, it likely reflects the products the operators expected to be present in their target networks whose detection technology would threaten the stealthiness of a covert operation,” SentinelLabs notes.
The fast16.sys kernel driver loads automatically alongside disk device drivers, inserts itself above filesystems, disables the Windows Prefetcher, resolves kernel APIs dynamically, and attaches itself to every filesystem device to route relevant I/O Request Packets and Fast I/O paths through these worker devices.
The driver focuses on executable files compiled with the Intel C/C++ compiler, modifying their PE headers to add two additional sections, enabling extensive yet stable patching.
Strategic sabotage rather than generic espionage
According to SentinelLabs, the patching patterns suggest the driver was designed to hijack or influence the execution flows of precision calculation tools used in civil engineering, physics, and physical process simulations.
Fast16’s tampering, the cybersecurity firm notes, would result in alternative outputs being produced, aiming for strategic sabotage.
“By introducing small but systematic errors into physical‑world calculations, the framework could undermine or slow scientific research programs, degrade engineered systems over time, or even contribute to catastrophic damage,” SentinelLabs says.
A wormable component allowed the threat to infect other systems on the same network and prevent the sabotage from being discovered by verifying calculations on a different machine.
“The engine relies on a compact set of just over a hundred pattern-matching rules and a small dispatch table, so it only inspects bytes that are likely to matter,” SentinelLabs notes.
The cybersecurity firm identified three high-precision engineering and simulation suites potentially targeted by Fast16, namely LS-DYNA 970, PKPM, and the MOHID hydrodynamic modeling platform, but has yet to identify binaries in the driver’s crosshairs.
There is evidence that LS-DYNA has been used by Iran as part of its nuclear weapons development program. Iran’s nuclear program was also targeted by the Stuxnet malware created by the US and Israel.
SentinelLabs notes that the malware’s existence shows that state‑grade cyber-sabotage capabilities had been fully developed and deployed by the mid-2000s.
“In the broader picture of APT evolution, fast16 bridges the gap between early, largely invisible development programs and later, more widely documented Lua‑ and LuaJIT‑based toolkits. It is a reference point for understanding how advanced actors think about long‑term implants, sabotage, and a state’s ability to reshape the physical world through software. fast16 was the silent harbinger of a new form of statecraft, successful in its covertness until today,” the cybersecurity firm notes.
Related: ‘DarkSword’ iOS Exploit Kit Used by State-Sponsored Hackers, Spyware Vendors
Related: Stolen Logins Are Fueling Everything From Ransomware to Nation-State Cyberattacks
Related: Nation-State iOS Exploit Kit ‘Coruna’ Found Powering Global Attacks
Related: Cyber Insights 2026: Cyberwar and Rising Nation State Threats
