Fast16 Malware 2005 Targets Engineering Software

Get the Tech newsletter
Daily tech — startups, AI labs, chips, the launches that shape the next decade. Free.
- SentinelOne discovered a previously undocumented Lua‑based malware framework named fast16, dated to 2005, that targets high‑precision engineering calculation software.
- Fast16 embeds a Lua 5.0 virtual machine, encrypted bytecode, and a kernel driver (fast16.sys) that intercepts and modifies executable code, but it cannot run on Windows 7 or later.
- Fast16 was linked to a 2017 Shadow Brokers leak of a driver list file (drv_list.txt) that referenced the "fast16" string, providing a forensic connection to the NSA‑associated Equation Group.
- Fast16 uses a carrier module (svcmgmt.exe) that can run as a Windows service, deploy the kernel driver, and propagate via a Service Control Manager wormlet to Windows 2000/XP systems with weak credentials.
- Fast16 targets executables compiled with the Intel C/C++ compiler, injecting code that corrupts calculations in engineering suites such as LS‑DYNA, PKPM, and MOHID, potentially undermining scientific research or industrial processes.
- Fast16 predates Stuxnet by at least five years, making it the earliest known Windows malware to embed a Lua engine and indicating that state‑backed cyber sabotage capabilities existed in the mid‑2000s.
Why it matters: The finding shows that nation‑backed cyber sabotage tools existed five years before Stuxnet, meaning governments and high‑precision engineering firms have faced covert threats far longer than assumed; it also reveals a specific method for corrupting critical calculations, prompting urgent reassessment of software security in nuclear, aerospace, and industrial sectors.



