Security researchers have identified malware dating back to 2005 that appears to have been designed to disrupt Iran’s nuclear program years before the infamous Stuxnet campaign.
SentinelOne’s Vitaly Kamluk and Juan Andrés Guerrero-Saade explained in a blog post that their starting point was to work out whether any malware featuring an embedded Lua VM predated state-backed efforts like Flame and Project Sauron.
They subsequently found service binary “svcmgmt.exe” which featured an embedded Lua 5.0 VM referencing kernel driver “fast16.sys.”
“This kernel driver is a boot-start filesystem component that intercepts and modifies executable code as it’s read from disk,” the report explained.
“Although a driver of this age will not run on Windows 7 or later, for its time fast16.sys was a cut above commodity rootkits thanks to its position in the storage stack, control over filesystem I/O, and rule-based code patching functionality.”
Read more on Stuxnet: Sophisticated Stuxnet Malware is Approaching 18 Months Old
Fast16 predates Stuxnet by at least five years and stands as the first operation of its kind, SentinelOne’s researchers said. Stuxnet was a sophisticated, nation-state-level computer worm discovered in 2010 which was designed to sabotage Iran’s nuclear program.
SentinelOne said fast16 differs from worms of its time because it is the first recorded Lua-based network worm and its mission specificity.
“The carrier was designed to act like cluster munition in software form, able to carry multiple wormable payloads, referred to internally as ‘wormlets’,” the report noted.
It’s designed to target Windows 2000/XP and relies on default or weak admin passwords on file shares. However, it will only start after checking that the targeted environment is not running specific security software.
“For tooling of this age, that level of environmental awareness is notable,” the report claimed.
Fast16 Attribution and End Goal
SentinelOne claimed that fast16 was designed to target three “high-precision engineering and simulation suites” used in the mid-noughties: LS-DYNA 970, PKPM and the MOHID hydrodynamic modeling platform.
These were used for crash testing, structural analysis and environmental modelling, with LS-DYNA believed to have been deployed by Iran.
The malware itself was written to interfere with the calculations produced by these tools, corrupting routines to produce alternative outputs.
“By introducing small but systematic errors into physical‑world calculations, the framework could undermine or slow scientific research programs, degrade engineered systems over time or even contribute to catastrophic damage,” the report claimed.
“It is a reference point for understanding how advanced actors think about long‑term implants, sabotage, and a state’s ability to reshape the physical world through software.”
The malware was also referenced in the infamous Shadow Brokers leak of NSA hacking tools, tying it back to US offensive operations.
