SentinelOne Uncovers 'fast16': The Earliest Known Cyber Sabotage Malware, Predating Stuxnet by Five Years

SentinelOne researchers have uncovered a previously undocumented malware framework, dubbed fast16, that predates Stuxnet by at least five years, rewriting the history of state-sponsored cyber sabotage. The malware, with components dating back to 2005, was designed to inject near-imperceptible errors into high-precision mathematical computations, targeting software used in advanced physics, cryptographic, and nuclear research. This discovery challenges the long-held belief that Stuxnet, which became public in 2010, was the first known deployment of a cyber weapon in a geopolitical context.

Fast16's primary function was to quietly corrupt the mathematical outputs of engineering and scientific software by introducing tiny systematic errors that would be nearly impossible to detect without running independent calculations on a completely separate, uninfected system. SentinelOne likened fast16's delivery mechanism to a "cluster munition" that could drop multiple "wormlets," which would then distribute the main payload to as many machines as possible by exploiting vulnerabilities. The malware used a Lua scripting engine, making it the first-ever Lua-based network worm targeting high-precision calculation software.

The researchers identified three software suites that fast16 likely targeted: LS-DYNA 970, PKPM, and the MOHID hydrodynamic modeling platform, all used for scenarios like crash testing, structural analysis, and environmental modeling. Notably, SentinelOne identified LS-DYNA as software that Iran is reported to have used in computer modeling relevant to its nuclear weapons development program, suggesting it might have been a target even before Stuxnet. However, researchers are unsure if the authors — most likely state actors — ever deployed the weapon, what its intended targets were, or what impact it would have had in an actual attack scenario.

SentinelOne researchers uncovered fast16 while attempting to trace the earliest meaningful use of an embedded Lua VM in Windows malware. They had observed how the authors of highly sophisticated malware frameworks such as Flame, Flame 2.0, PlexingEagle, and Project Sauron consistently embedded a Lua scripting engine to add modularity to their tools. What they discovered was fast16, with components dating back to 2005, well before the earliest known use of Stuxnet. The name "fast16" appears in a document the ShadowBrokers group leaked in 2016 regarding the National Security Agency's offensive cyber weapons, but SentinelOne did not attribute the malware to the NSA or any other entity.

Remarkably, someone had uploaded the malware to VirusTotal more than a decade ago, where it has remained almost undetected. Only one engine on VirusTotal classifies the tool as generally malicious, but even that is with moderate confidence. While that VirusTotal result may appear concerning, SentinelOne researcher Vitaly Kamluk noted that fast16 "is genuinely an old piece of malware" that only runs in an "environment that is largely obsolete." The malware runs only on uniprocessor Windows XP systems, an environment that is now largely obsolete, making it incapable of running on modern systems.

Despite its age, the underlying attack vector remains highly relevant. "High-precision calculations, whether used in financial trading, AI model training, or various simulation software, could still be the target of a similar, but modernized threat today," Kamluk said. SentinelOne has published Yara rules that organizations can use to check older systems for traces of fast16. The discovery of fast16 rewrites our understanding of what a cyber weapon can do, as well as when nation-state cyber sabotage operations matured to the level of becoming a serious threat to critical infrastructure.