FAST 16 is a pre-Stuxnet malware that tampered with precision software and spread itself, uncovered by SentinelOne as part of an analysis of a 2005 sample. Written in Lua, it targeted high-precision calculation software, altering results and spreading across Windows systems via network shares while checking for security tools to avoid detection.
The malware appeared in the ShadowBrokers NSA tools leak, and evidence suggests it may have been developed by the United States, highlighting early cyber operations linked to tensions with Iran. Its carrier svcmgmt[.]exe acts as a modular loader using encrypted Lua payloads and “wormlets,” with the fast16[.]sys kernel driver loading at boot to intercept filesystem operations and modify executables in memory.
Fast16 is described as a sabotage-focused framework, capable of applying rule-based patches to precision software, potentially corrupting outputs in fields such as structural engineering and physics modelling, while remaining stealthy and persistent across infected systems. The analysis indicates a long-running, well-resourced development effort, predating Stuxnet by at least five years and using an embedded Lua VM that predated earliest Flame samples. According to SentinelOne, this marks the first operation of its kind in ultra‑expensive high‑precision computing workloads.