fast16 / ls-dyna / sentinelone

SentinelOne researchers revealed fast16, a previously undetected cyberweapon compiled in 2005 that predates Stuxnet by five years and silently corrupted engineering and nuclear simulation outputs. Analysts Vitaly Kamluk and Juan Andrés Guerrero-Saade presented the code and timeline at Black Hat Asia after finding an svcmgmt.exe sample containing an embedded Lua 5.0 VM, encrypted bytecode, and a kernel driver fast16.sys. Fast16 runs on single-core-era Windows, uses a multi-mode carrier to install or execute payloads, spreads via “wormlets” across network shares, and includes a DLL that logs dial-up/VPN connections to map internal network topology. The discovery shifts understanding of early cyberweapons and shows sophisticated remote-control and espionage capabilities existed before Stuxnet.

SentinelOne researchers disclosed fast16, a stealthy cyberweapon compiled in 2005 that silently corrupted scientific and engineering simulations and remained undetected for 21 years — predating Stuxnet by five years. Analysts Vitaly Kamluk and Juan Andrés Guerrero-Saade found a 2016 VirusTotal upload (svcmgmt.exe) that embeds a Lua 5.0 VM, encrypted bytecode, a network-mapping DLL and a kernel driver fast16.sys; the tool targets single-core-era Windows systems. Fast16 runs as a modular carrier that spreads via network shares, installs as a service, exfiltrates dial-up/VPN connection details, and injects calculation-manipulating payloads — demonstrating early use of Lua scripting and sophisticated reconnaissance and sabotage techniques years before Stuxnet. The discovery reshapes the timeline of state-level cyber sabotage.

SentinelOne researchers uncovered 'Fast16', a mystery software sabotage campaign that predated Stuxnet by about five years and shows unusually precise, targeted manipulation of industrial control system software. The analysis links artifacts to the Shadow Brokers leak and details tailored zero-day-like modifications that would damage specific systems while evading broad detection. Key players include SentinelOne Labs and implications touch nation-state-style tactics, early ICS-targeting tradecraft, and gaps in historical attribution of cyber-physical attacks. This matters because Fast16 rewrites the timeline of high-precision sabotage, highlights risks to critical infrastructure, and informs defenders and policymakers about earlier adoption of surgical cyberweapons and the need for stronger ICS-security and forensic techniques.

SentinelOne researchers say they have identified “FAST16,” malware designed for industrial sabotage that may date to around 2005—about five years before Stuxnet. Speaking at Black Hat Asia on 24 April 2026, SentinelOne’s Vitaly Kamluk said the find emerged from a hunt for early nation-state tooling that used Lua, similar to Flame, Animal Farm, and Project Sauron. The team traced a sample uploaded to VirusTotal in 2016 referencing “fast16” and noted a related mention in the 2016 Shadow Brokers leak linked to the NSA. FAST16 reportedly only runs on Windows XP and single-core CPUs, and installs a driver (fast16.sys) that alters floating-point outputs while seeking specific engineering simulation tools, including LS-DYNA 970, PKPM, and MOHID. The work highlights early cyber-physical attack techniques and long-term implant evolution.

Researchers at SentinelOne have reverse-engineered Fast16, a stealthy sabotage malware dating to 2005 that predates and may have targeted Iran’s nuclear program before Stuxnet. Vitaly Kamluk and Juan Andrés Guerrero-Saade found Fast16 spreads across networks and subtly manipulates high-precision simulation and calculation software—such as LS-DYNA, PKPM, and MOHID—to introduce small errors that can cause research failures or physical damage. The code’s sophistication and timing suggest it was likely developed by the US or an ally and used to undermine scientific and engineering workflows, potentially affecting nuclear-related simulations. The findings, to be presented at Black Hat Asia, expand the historical record of state-backed cybersabotage and highlight a stealthy class of supply-chain-like attacks on critical simulation tools.