Cybersecurity researchers have discovered a new Lua-based malware created years before the infamous Stuxnet worm, which was aimed at destroying Iran’s nuclear program by destroying uranium enrichment centrifuges.
According to a new report published by SentinelOne, a previously undocumented form of cyber sabotage dates back to 2005, primarily targeting high-precision calculation software to tamper with results. It is codenamed fast16.
“By combining this payload with a self-propagation mechanism, the attackers aim to make similar miscalculations throughout the facility,” researchers Vitaly Kamlyuk and Juan Andres Guerrero-Saade said in a detailed report published this week.
Fast16’s assessment predates Stuxnet, the first known digital weapon engineered for disruptive actions, and which served as the basis for the Duke information-stealing rootkit by at least five years. Stuxnet is believed to have been developed by the US and Israel.
It also predates the earliest known samples of Flame (aka Flamer and SkyViper), a more sophisticated malware discovered in 2012 that incorporated the Lua virtual machine to achieve its goals. This discovery makes Fast16 the first strain of Windows malware to embed the Lua engine.
SentinelOne said it made the discovery after identifying an artifact named “svcmgmt.exe”, which at first glance appeared to be a generic console-mode service wrapper. The sample has a file creation timestamp of August 30, 2005, according to VirusTotal, with it being uploaded more than a decade later on October 8, 2016.
However, a deeper investigation revealed an embedded Lua 5.0 virtual machine and an encrypted bytecode container, as well as various other modules that connect directly to the Windows NT file system, registry, service control, and network APIs.
The main logic of the implant resides in the Lua bytecode, the binary also refers via a PDB path to a kernel driver (“fast16.sys”) – a file with a creation date of July 19, 2005 – which is responsible for intercepting and modifying the executable code read from disk. That said, it’s worth noting that the driver will not run on systems running Windows 7 or later.
In a search that may indicate the origin of the tool, SentinelOne said it uncovered a reference to the string “Fast16” in a text file called “drv_list.txt” that contains a list of drivers designed for use in advanced persistent threat (APT) attacks. The approximately 250KB file was leaked by a mysterious hacking group nine years ago.
In 2016 and 2017, the collective – calling themselves The Shadow Brokers – published vast troves of data allegedly stolen from the Equation Group, an advanced persistent threat group with suspected ties to the US National Security Agency (NSA). It contained several hacking tools and exploits under the alias “Lost in Translation”. Text file was one of them.
“The string inside svcmgmt.exe provided an important forensic link in this investigation,” SentinelOne said. “The PDB path connects the 2017 leak of deconfliction signatures used by NSA operators with a multi-modal Lua-powered ‘carrier’ module compiled in 2005, and ultimately its secret payload: a kernel driver designed for precise subversion.”
“Svcmgmt.exe” is described as a “highly adaptable carrier module” that can change its behavior depending on command-line arguments given to it, enabling it to run as a Windows service or execute Lua code. It comes with three different payloads: Lua bytecode to handle configuration and propagation and coordination logic, a helper ConnotifyDLL (“svcmgmt.dll”), and the “fast16.sys” kernel driver.
Specifically, it is designed to parse configuration, forward itself as a service, optionally deploy kernel implants, and launch a Service Control Manager (SCM) wormlet that scans for network servers and spreads malware to other Windows 2000/XP environments with weak or default credentials.
An important aspect worth mentioning here is that propagation only occurs when forced manually, or when scanning the Windows registry database for related registry keys not found by normal security products on the system. Some of the security tools that it explicitly checks belong to Agnitum, F-Secure, Kaspersky, McAfee, Microsoft, Symantec, Signet Technologies, and Trend Micro.
The presence of Cygate Technologies is another indicator that the sample was developed in the mid-2000s, as the company was acquired by Symantec, now part of Broadcom, in August 2025, and sales and support of its products formally ceased by November.
“For tooling of this age, that level of environmental awareness is remarkable,” Sentinelvan said. “Although the list of products may not seem comprehensive, it likely reflects the products that operators expect to be present in their target networks whose identification technology could jeopardize the confidentiality of a covert operation.”
On the other hand, ConnotifyDLL is invoked whenever the system establishes a new network connection using Remote Access Service (RAS), and writes the remote and local connection names to the named pipe (“\.\pipe\p577”).
However, it is the driver that is responsible for the precise subversion, targeting executables compiled with the Intel C/C++ compiler to perform rule-based patching and hijack the execution flow through malicious code injection. Such a block is capable of corrupting mathematical calculations, especially after tools used in civil engineering, physics, and physical process simulation.
“By introducing small but systematic errors into physical-world calculations, the framework could undermine or slow down scientific research programs, cause engineered systems to degrade over time, or even contribute to catastrophic damage,” Sentinelvan explained.
“By separating relatively stable execution wrappers from encrypted, task-specific payloads, developers created a reusable, partitioned framework that they could adapt to different target environments and operational objectives while leaving the external carrier binary largely unchanged across campaigns.”
Based on analysis of the 101 rules defined in the patching engine and matching them with software used in the mid-2000s, it has been assessed that three high-precision engineering and simulation suites could be targets: LS-DYNA 970, PKPM, and the MOHID Hydrodynamic Modeling Platform.
LS-DYNA, now part of the Ansys Suite, is a general-purpose multi-physics simulation software package used to simulate accidents, impacts, and explosions. In September 2024, the Institute for Science and International Security (ISIS) released a report detailing Iran’s potential use of computer modeling software such as LS-DYNA related to nuclear weapons development, based on an examination of 157 academic publications found in open-source scientific and engineering literature.
This line of evidence is important considering that Iran’s nuclear program was significantly damaged after the uranium enrichment facility at Natanz was targeted by the Stuxnet worm in June 2010. Additionally, Symantec disclosed in February 2013 an earlier version of Student that was used to attack Iran’s nuclear program in November 2007, with evidence indicating that it had been under development as early as November 2005.
Symantec noted at the time, “Stuxnet 0.5 is the oldest known Stuxnet variant to be analyzed.” “Stuxnet 0.5 includes an alternative attack strategy that would have shut down valves within the uranium enrichment facility at Natanz, Iran, which would have caused severe damage to the centrifuges and the uranium enrichment system as a whole.”
Overall, the latest discovery “forces a re-evaluation” of the historical timeline of development for covert cyber subversion campaigns, SentinelOne said, showing that state-supported cyber subversion tooling against physical targets was fully developed and deployed by the mid-2000s.
The researchers concluded, “In the broader picture of APT development, Fast16 bridges the gap between early, largely invisible development programs and later, more widely documented Lua‑ and LuaJIT‑based toolkits.” “It is a reference point for understanding how advanced actors think about the state’s ability to reshape the physical world through long-term implants, subversion, and software. Fast16 was the silent harbinger of a new form of state art, which succeeds in its secrecy to this day.”
