SENTINELONE has discovered a Lua-based sabotage malware called Fast16, created years before Stuxnet and used in an attack in 2005. The analysis notes that Fast16 was referenced in the ShadowBrokers’ leak of NSA offensive tools, and that it may have been developed by the United States, according to SentinelLabs.
The malware uses a Lua 5.0 virtual machine embedded in svcmgmt[.]exe, a service binary, and a kernel driver named fast16[.]sys, designed to tamper with high-precision calculation software and to patch PE headers of targeted executables. Propagation relied on default or weak passwords for file shares on Windows 2000 and XP, with a wormable component that could move across networks.
Three engineering and simulation suites potentially targeted are LS-DYNA 970, PKPM, and the MOHID hydrodynamic modelling platform, with Iran’s use of LS-DYNA noted in relation to its nuclear programme and Stuxnet’s historic context. Fast16 is described as a strategic sabotage framework capable of producing alternative outputs in precise calculations, aiming to degrade or disrupt scientific and engineering processes.