Cybersecurity researchers have discovered new Lua-based malware that was created several years before the infamous Stuxnet worm, which was aimed at disrupting Iran’s nuclear program by sabotaging uranium enrichment centrifuges.
A previously undocumented cyber sabotage framework dates back to 2005 and primarily targeted high-precision calculation software to falsify results, according to a new report published by SentinelOne. The code name is fast16.
“By combining this payload with a self-propagation mechanism, the attackers aim to perform equally inaccurate calculations throughout the facility,” researchers Vitaly Kamruk and Juan Andres Guerrero Saad said in an exhaustive report published this week.
Fast16 is assessed to be at least five years older than Stuxnet, the first known digital weapon designed for destructive behavior and the basis for the Duqu information theft rootkit. Stuxnet is widely believed to have been developed by the United States and Israel.
It also predates the earliest known samples of Flame (also known as Flamer and Skywiper), another sophisticated malware discovered in 2012, which included a Lua virtual machine to accomplish its goals. This discovery makes fast16 the first Windows malware to incorporate a Lua engine.
SentinelOne said it made this discovery after identifying an artifact named “svcmgmt.exe” that at first glance appears to be a generic console mode service wrapper. According to VirusTotal, this sample has a file creation timestamp of August 30, 2005, and was uploaded more than a decade later, on October 8, 2016.
However, closer inspection revealed an embedded Lua 5.0 virtual machine and encrypted bytecode container, as well as various other modules that bind directly to the Windows NT file system, registry, service controls, and network APIs.
The core logic of the implant resides within the Lua bytecode, and the binary also references the kernel driver (‘fast16.sys’) via the PDB path (a file with a creation date of July 19, 2005). This file is responsible for intercepting and modifying the executable code being read from disk. However, please note that the driver cannot run on Windows 7 and newer systems.
SentinelOne announced a discovery that could point to the tool’s origins: it found a reference to the string “fast16” in a text file called “drv_list.txt.” This file contained a list of drivers designed for use in Advanced Persistent Threat (APT) attacks. The approximately 250 KB file was leaked nine years ago by a mysterious hacking group.
In 2016 and 2017, the group, which calls itself Shadow Brokers, released vast amounts of data allegedly stolen from Equation Group, an advanced persistent threat group with suspected ties to the U.S. National Security Agency (NSA). This included a series of hacking tools and exploits under the nickname “Lost in Translation.” Text files were one of them.
“Strings within svcmgmt.exe provided a key forensic link in this investigation,” SentinelOne said. “The PDB path ties together a 2017 leak of decollision signatures used by NSA operators, a multimodal Lua-powered ‘carrier’ module compiled in 2005, and ultimately its stealth payload, a kernel driver designed for precision sabotage.”
Svcmgmt.exe is described as an “adaptive carrier module” that can change its behavior based on passed command-line arguments, and can run as a Windows service or run Lua code. It comes with three different payloads: Lua bytecode that handles configuration, propagation, and coordination logic, an auxiliary ConnotifyDLL (‘svcmgmt.dll’), and a ‘fast16.sys’ kernel driver.
Specifically, it is designed to launch a Service Control Manager (SCM) wormlet that parses the configuration, escalates itself as a service, optionally deploys a kernel implant, and scans network servers to propagate malware to other Windows 2000/XP environments using weak or default credentials.
An important aspect worth mentioning here is that propagation only occurs when forced manually or when common security products are not found on the system after scanning the relevant registry keys in the Windows registry database. Some of the security tools that explicitly check are from Agnitum, F-Secure, Kaspersky, McAfee, Microsoft, Symantec, Sygate Technologies, and Trend Micro.
The presence of Sygate Technologies is another indicator that this sample was developed in the mid-2000s. The company was acquired by Symantec, now part of Broadcom, in August 2025, and sales and support for its products were officially discontinued by November.
“This level of environmental awareness is remarkable for a tool in this day and age,” SentinelOne said. “While the list of products may not appear comprehensive, it likely reflects products that operators expected to be present in target networks whose detection technology could threaten the stealth nature of covert operations.”
ConnotifyDLL, on the other hand, is called every time the system establishes a new network connection using Remote Access Service (RAS) and writes the remote and local connection names to a named pipe (“\\.\pipe\p577”).
However, it is this driver that disrupts accuracy, targeting executables compiled with the Intel C/C++ Compiler, performing rule-based patching, and hijacking the execution flow through malicious code injection. One such block can corrupt mathematical calculations and particularly attacks tools used in civil engineering, physics, and simulation of physical processes.
“By introducing small but systematic errors into calculations of the physical world, this framework can undermine or slow scientific research programs, degrade engineered systems over time, and even cause catastrophic damage,” SentinelOne explained.
“By separating a relatively stable execution wrapper from the encrypted task-specific payload, the developers created a reusable and compartmentalized framework that can adapt to different target environments and operational goals while leaving the outer carrier binary largely unchanged between campaigns.”
After analyzing 101 rules defined in the patching engine and cross-checking them with software used in the mid-2000s, it was determined that three high-precision engineering and simulation suites were potentially targeted: LS-DYNA 970, PKPM, and MOHID fluid dynamics modeling platforms.
LS-DYNA, now part of the Ansys Suite, is a general-purpose multiphysics simulation software package used to simulate collisions, impacts, and explosions. In September 2024, the Institute for Science and International Security (ISIS) published a report detailing the possibility that Iran used computer modeling software such as LS-DYNA in connection with its nuclear weapons development, based on a review of 157 academic publications in open source scientific and technical literature.
This body of evidence is considered significant, given that the Natanz uranium enrichment facility was targeted by the Stuxnet worm in June 2010, which is said to have severely damaged Iran’s nuclear program. Additionally, in February 2013, Symantec disclosed an early version of Student that was used to attack Iran’s nuclear program in November 2007, and provided evidence in November 2005 that it was in development.
“Stuxnet 0.5 is the oldest known Stuxnet version analyzed,” Symantec said at the time. “Stuxnet 0.5 included an alternative attack strategy that closed a valve within the uranium enrichment facility in Natanz, Iran, which could have caused significant damage to the centrifuges and the entire uranium enrichment system.”
Taken together, the latest findings “force a reassessment” of the historical timeline of the development of covert cyber sabotage operations, Sentinel One said, adding that they show that state-sponsored cyber sabotage tools against physical targets were fully developed and deployed by the mid-2000s.
The researchers concluded that “in the overall picture of APT evolution, fast16 bridges the gap between an early, largely invisible development program and the more widely documented Lua and LuaJIT-based toolkits that followed.” “This is a reference point for understanding how advanced actors are thinking about states’ ability to reshape the physical world through long-term implants, sabotage, and software. Fast16 was a quiet harbinger of a new form of national strategy that has been secretly successful to this day.”
Source link
