Researchers Uncover Pre-Stuxnet ‘fast16’ Malware Targeting Engineering Software

Cybersecurity researchers have discovered a new Lua-based malware created years before the notorious Stuxnet worm that aimed to sabotage Iran’s nuclear program by destroying uranium enrichment centrifuges.

According to a new report published by SentinelOne, the previously undocumented cyber sabotage framework dates back to 2005, primarily targeting high-precision calculation software to tamper with results. It has been codenamed fast16.

“By combining this payload with self-propagation mechanisms, the attackers aim to produce equivalent inaccurate calculations across an entire facility,” researchers Vitaly Kamluk and Juan Andrés Guerrero-Saade said in an exhaustive report published this week.

Fast16 is assessed to predate Stuxnet, the first known digital weapon engineered for disruptive actions, and which served as the basis for the Duqu information stealer rootkit, by at least five years. Stuxnet is widely believed to have been developed by the U.S. and Israel.

It also precedes the earliest known samples of Flame (aka Flamer and Skywiper), another sophisticated malware that was discovered in 2012, incorporating a Lua virtual machine to realize its goals. The discovery makes fast16 the first strain of Windows malware to embed a Lua engine.

SentinelOne said it made the discovery after it identified an artifact named “svcmgmt.exe” that, at first blush, appeared to be a generic console‑mode service wrapper. The sample has a file creation timestamp of August 30, 2005, per VirusTotal, to which it was uploaded more than a decade later on October 8, 2016.

However, a deeper investigation has revealed an embedded Lua 5.0 virtual machine and an encrypted bytecode container, along with various other modules that bind directly into Windows NT file system, registry, service control, and network APIs.

The implant’s core logic resides in the Lua bytecode, with the binary also referencing a kernel driver (“fast16.sys“) via a PDB path – a file with a creation date of July 19, 2005 – that’s responsible for intercepting and modifying executable code as it’s read from disk. That said, it’s worth noting that the driver will not run on systems with Windows 7 or later.

In what’s a finding that could give an indication of the tool’s origins, SentinelOne said it uncovered a reference to the string “fast16” in a text file called “drv_list.txt” that included a list of drivers designed for use in advanced persistent threat (APT) attacks. The nearly 250KB file was leaked by a mysterious hacking group nine years ago.

In 2016 and 2017, the collective – calling itself The Shadow Brokers – published vast troves of data allegedly stolen from the Equation Group, an advanced persistent threat group with suspected ties to the U.S. National Security Agency (NSA). This included a bevy of hacking tools and exploits under the nickname “Lost in Translation.” The text file was one of them.

“The string inside svcmgmt.exe provided the key forensic link in this…