Cybersecurity researchers have discovered a new Lua-based malware created years before the notorious Stuxnet worm that aimed to sabotage Iran’s nuclear program by destroying uranium enrichment centrifuges.
According to a new report published by SentinelOne, the previously undocumented cyber sabotage framework dates back to 2005, primarily targeting high-precision calculation software to tamper with results. It has been codenamed fast16.
“By combining this payload with self-propagation mechanisms, the attackers aim to produce equivalent inaccurate calculations across an entire facility,” researchers Vitaly Kamluk and Juan Andrés Guerrero-Saade said in an exhaustive report published this week.
Fast16 is estimated to predate Stuxnet – the world’s first known digital weapon designed for disruptive actions – by at least five years. While Stuxnet is widely attributed to the U.S. and Israel and later served as the architectural foundation for the Duqu information-stealing rootkit, fast16 appears to have emerged much earlier.
It also precedes the earliest known samples of Flame (aka Flamer and Skywiper), another sophisticated malware that was discovered in May 2012 incorporating a Lua virtual machine to realize its goals. The discovery makes fast16 the first strain of Windows malware to embed a Lua engine.
SentinelOne said it made the discovery after it identified an artifact named “svcmgmt.exe” that, at first blush, appeared to be a generic console‑mode service wrapper. The sample has a file creation timestamp of August 30, 2005, per VirusTotal, to which it was uploaded more than a decade later on October 8, 2016.
However, a deeper investigation has revealed an embedded Lua 5.0 virtual machine and an encrypted bytecode container, along with various other modules that bind directly into Windows NT file system, registry, service control, and network APIs.
The implant’s core logic resides in the Lua bytecode, with the binary also referencing a kernel driver (“fast16.sys“) via a PDB path – a file with a creation date of July 19, 2005 – that’s responsible for intercepting and modifying executable code as it’s read from disk. That said, it’s worth noting that the driver will not run on systems with Windows 7 or later.
In what’s a finding that could give an indication of the tool’s origins, SentinelOne said it uncovered a reference to the string “fast16” in a text file called “drv_list.txt” that included a list of drivers designed for use in advanced persistent threat (APT) attacks. The nearly 250KB file was leaked by a mysterious hacking group nine years ago.
In 2016 and 2017, the collective – calling itself The Shadow Brokers – published vast troves of data allegedly stolen from the Equation Group, an advanced persistent threat group with suspected ties to the U.S. National Security Agency (NSA). This included a bevy of hacking tools and exploits under the nickname “Lost in Translation.” The text file was one of them.
“The string inside svcmgmt.exe provided the key forensic link in this investigation,” SentinelOne said. “The PDB path connects the 2017 leak of deconfliction signatures used by NSA operators with a multi-modal Lua‑powered ‘carrier’ module compiled in 2005, and ultimately its stealthy payload: a kernel driver designed for precision sabotage.”
“Svcmgmt.exe” has been described as a “highly adaptable carrier module” that can alter its behavior based on the command-line arguments passed to it, enabling it to run as a Windows service or execute Lua code. It comes with three distinct payloads: Lua bytecode to handle configuration and propagation and coordination logic, an auxiliary ConnotifyDLL (“svcmgmt.dll“), and the “fast16.sys” kernel driver.
Specifically, it’s designed to parse the configuration, escalate itself as a service, optionally deploy the kernel implant, and launch a Service Control Manager (SCM) wormlet that scans for network servers and propagates the malware to other Windows 2000/XP environments with weak or default credentials.
An important aspect worth mentioning here is that the propagation only occurs when it’s manually forced, or common security products aren’t found on the system by scanning the Windows Registry database for associated registry keys. Some of the security tools it explicitly checks belong to Agnitum, F-Secure, Kaspersky, McAfee, Microsoft, Symantec, Sygate Technologies, and Trend Micro.
The presence of Sygate Technologies is another indicator that the sample was developed in the mid-2000s, as the company was acquired by Symantec (now part of Broadcom) in August 2005, and sales and support for its products were formally discontinued by November.
“For tooling of this age, that level of environmental awareness is notable,” SentinelOne said. “While the list of products may not seem comprehensive, it likely reflects the products the operators expected to be present in their target networks whose detection technology would threaten the stealthiness of a covert operation.”
The ConnotifyDLL, on the other hand, is invoked each time the system establishes a new network connection using the Remote Access Service (RAS), and writes the remote and local connection names to a named pipe (“\\.\pipe\p577”).
However, it’s the driver that’s responsible for the precision sabotage, targeting executables compiled with the Intel C/C++ compiler to perform rule-based patching and hijack execution flow through malicious code injections. One such block is capable of corrupting mathematical calculations, specifically going after tools used in civil engineering, physics, and physical process simulations.
“By introducing small but systematic errors into physical‑world calculations, the framework could undermine or slow scientific research programs, degrade engineered systems over time, or even contribute to catastrophic damage,” SentinelOne explained.
“By separating a relatively stable execution wrapper from encrypted, task-specific payloads, the developers created a reusable, compartmentalized framework that they could adapt to different target environments and operational objectives while leaving the outer carrier binary largely unchanged across campaigns.”
Based on an analysis of the 101 rules defined in the patching engine and matching them against software used in the mid-2000s, it’s assessed that three high-precision engineering and simulation suites may have been the targets: LS-DYNA 970, PKPM, and the MOHID hydrodynamic modeling platform.
LS-DYNA, now part of the Ansys Suite, is a general-purpose multi physics simulation software package that’s used for simulating crashes, impacts, and explosions. In September 2024, the Institute for Science and International Security (ISIS) released a report detailing Iran’s likely use of computer modeling software like LS-DYNA related to nuclear weapons development based on an examination of 157 academic publications found in open-source scientific and engineering literature.
This chain of evidence assumes significance considering Iran’s nuclear program is said to have suffered substantial damage after its uranium enrichment facility in Natanz was targeted by the Stuxnet worm in June 2010. What’s more, Symantec revealed in February 2013 an earlier version of Student that was used to attack Iran’s nuclear program in November 2007, with evidence indicating it was under development as early as November 2005.
“Stuxnet 0.5 is the oldest known Stuxnet version to be analyzed,” Symantec noted at the time. “Stuxnet 0.5 contains an alternative attack strategy, closing valves within the uranium enrichment facility at Natanz, Iran, which would have caused serious damage to the centrifuges and uranium enrichment system as a whole.”
Taken together, the latest finding “forces a re‑evaluation” of the historical timeline of development for clandestine cyber sabotage operations, SentinelOne said, adding it shows state-backed cyber sabotage tooling against physical targets had been fully developed and deployed by the mid‑2000s.
“In the broader picture of APT evolution, fast16 bridges the gap between early, largely invisible development programs and later, more widely documented Lua‑ and LuaJIT‑based toolkits,” the researchers concluded. “It is a reference point for understanding how advanced actors think about long‑term implants, sabotage, and a state’s ability to reshape the physical world through software. fast16 was the silent harbinger of a new form of statecraft, successful in its covertness until today.”
