Researchers find cyber-sabotage malware that may predate Stuxnet by five years

FAST16 could be the first cyberweapon, and its effects could be with us today

by · The Register

Black Hat Asia Infosec outfit SentinelOne found malware that tries to induce errors in engineering and physics simulation software and therefore represents an attempt at sabotage, and suggests it was created years before the Stuxnet worm that aimed to destroy Iran’s uranium enrichment centrifuges.

The company’s Vitaly Kamluk discussed the malware in a talk at the Black Hat Asia conference today. SentinelOne has also published a blog post about the malware.

Kamluk told the conference the discovery came about after he wondered if known nation-state-espionage tools like Flame, Animal Farm, and Project Sauron were the first of their kind. All three shared use of the Lua language and virtual machine, so he went looking for similar software.

That search led to a malware sample uploaded to VirusTotal in 2016 that includes a reference to “fast16”.

Kamluk’s analysis of the sample suggested the techniques its developers employed were not typical of 2016-era malware. SentinelOne researchers also recalled that the infamous ShadowBroker malware trove that appeared in 2016 and which was later linked to the United States National Security Agency, contained a reference to fast16.

SentinelOne thinks fast16 came into existence around 2005, based on clues in the code and the fact it won’t run on anything more recent than Windows XP – and even then only on a single-core CPU. Intel shipped its first multi-core consumer CPUs in 2006.

The researchers analyzed the sample and found it tries to install a worm and deploy a driver called fast16.sys.

Claude chokes Kamluk used Claude to analyze fast16, and said at one point the AI choked on the job and repeatedly failed to produce a report he asked it to write.

The researcher asked Claude why it couldn’t finish the job, and it produced paragraphs of introspective explanation, berating itself for not being fast enough to help its polite user and urging itself to just finish the job.

The chatbot eventually did, and suggested “Whoever built this had intimate knowledge of the target binary” and that the most likely intention of whoever developed the malware was “industrial sabotage.”

Kamluk said the strange Claude session shows infosec experts won’t be replaced by AI any time soon.

The driver includes a routine that alters the output of floating-point calculations and also goes looking for “precision calculation tools in specialised domains such as civil engineering, physics and physical process simulations.”

The researchers think fast16 targeted three high-precision engineering and simulation suites that were used in the mid-2000s: “LS-DYNA 970, PKPM, and the MOHID hydrodynamic modeling platform, all used for scenarios like crash testing, structural analysis, and environmental modeling.”

Iran is thought to have used LS-DYNA in its nuclear weapons program.

Kamluk hypothesized that fast16’s purpose was to cause errors in calculations run by engineering simulation software, perhaps leading to real-world problems. And he asserted that fast16 was a cyberweapon that preceded Stuxnet by five years.

“In the broader picture of APT evolution, fast16 bridges the gap between early, largely invisible development programs and later, more widely documented Lua‑ and LuaJIT‑based toolkits,” Kamluk wrote with SentinelOne colleague Juan Andrés Guerrero-Saade.

“It is a reference point for understanding how advanced actors think about long‑term implants, sabotage, and a state’s ability to reshape the physical world through software. fast16 was the silent harbinger of a new form of statecraft, successful in its covertness until today.”

In his talk, Kamluk said he’s disclosed his work to the vendors of the engineering applications fast16 targets, because he feels they may want to check the output of their products for evidence that the malware produced incorrect calculations.

“Maybe there are more discoveries to come?” he concluded.

Kamluk tearfully dedicated his talk to friend and colleague Sergey Mineev, who he said was responsible for finding many enormously significant APTs, without seeking attention for the significance of his work, and passed away in March. ®

Funding for program to stop next Stuxnet from hitting US expired Sunday: CyberSentry work grinds to a haltJessica Lyons, 22 Jul 2025Weak security means attackers could disable all of a city's public EV chargersBlack Hat Asia: Demonstrated in China, probably applicable elsewhereSimon Sharwood, 24 Apr 2026EV charger biz ELECQ zapped by ransomware crooks, customer contact data stolenExclusive: An attack on the company’s AWS platform may have exposed customers' names and home addressesCarly Page, 09 Mar 2026Hybrid clouds have two attack surfaces and you’re not paying enough attention to eitherBlack Hat Asia: Windows Admin Center flaws mean on-prem can attack cloud, and vice-versaSimon Sharwood, 23 Apr 2026