ACCORDING to SentinelOne, cybersecurity researchers uncovered a Lua-based malware framework nicknamed fast16, created years before Stuxnet and aimed at sabotaging Iran’s uranium enrichment effort by corrupting high-precision calculations. The package comprises a Lua bytecode core, an auxiliary ConnotifyDLL, and a kernel driver named fast16[.]sys, with the driver designed to intercept and patch executables as they are read from disk.
The artefact svcmgmt[.]exe, first seen with a file creation timestamp of August 30, 2005, is the apparent carrier module that can run as a Windows service or execute Lua code, while a PDB path points to a driver creation date of July 19, 2005. The malware reportedly targets engineering and simulation software such as LS-DYNA, PKPM and MOHID, using a Service Control Manager wormlet to propagate to other Windows 2000/XP environments with weak credentials.
SentinelOne notes that the Shadow Brokers’ 2016–2017 leak connected deconfliction signatures to NSA operators, suggesting a mid-2000s origin, and that Stuxnet is widely believed to have been developed by the U.S. and Israel, a claim highlighted in the report.