Cybersecurity researchers have uncovered a previously undocumented cyber sabotage framework written in Lua, which existed years before **Stuxnet**, the notorious worm that targeted Iran's nuclear program. The malware, codenamed **fast16**, aimed to disrupt operations by tampering with the results of high-precision calculation software. According to a new report by **SentinelOne**, this framework dates back to 2005. "By combining this payload with self-propagation mechanisms, the attackers aim to produce equivalent inaccurate calculations across an entire facility," researchers Vitaly Kamluk and Juan Andrés Guerrero-Saade said in their report.  ### Origins and Capabilities Fast16 predates Stuxnet by at least five years and also precedes the earliest known samples of **Flame** (aka Flamer and Skywiper). This discovery marks fast16 as the first known Windows malware to embed a Lua engine. SentinelOne's discovery stemmed from an artifact named "svcmgmt.exe," initially appearing as a generic console-mode service wrapper. VirusTotal indicates the file has a creation timestamp of August 30, 2005, and was uploaded over a decade later on October 8, 2016. Further analysis revealed an embedded Lua 5.0 virtual machine, an encrypted bytecode container, and modules that interface directly with Windows NT file system, registry, service control, and network APIs. The implant's core logic resides within the Lua bytecode. The binary also references a kernel driver ("fast16.sys") via a PDB path, dated July 19, 2005, which intercepts and modifies executable code as it's read from disk. The driver is incompatible with Windows 7 and later systems. ### Connection to the Shadow Brokers SentinelOne uncovered a reference to "fast16" in a text file called "drv_list.txt," which listed drivers used in advanced persistent threat (APT) attacks. This file was part of a data trove leaked by **The Shadow Brokers** in 2016 and 2017, allegedly stolen from the **Equation Group**, an APT group with suspected ties to the U.S. **National Security Agency (NSA)**. The text file can be found on GitHub.  "The string inside svcmgmt.exe provided the key forensic link in this investigation," SentinelOne stated. "The PDB path connects the 2017 leak of deconfliction signatures used by NSA operators with a multi-modal Lua‑powered 'carrier' module compiled in 2005, and ultimately its stealthy payload: a kernel driver designed for precision sabotage." ### Technical Details of Fast16 "Svcmgmt.exe" serves as an adaptable carrier module, modifying its behavior based on command-line arguments. It can operate as a Windows service or execute Lua code. The module includes three payloads: Lua bytecode for configuration, propagation, and coordination; an auxiliary ConnotifyDLL ("svcmgmt.dll"); and the "fast16.sys" kernel driver. The module parses configuration, escalates privileges, deploys the kernel implant, and launches a Service Control Manager (**SCM**) wormlet. This wormlet scans for network servers and propagates the malware to Windows 2000/XP environments with weak credentials. Propagation occurs only when manually initiated or when common security products are absent. Fast16 checks for security tools from vendors such as Agnitum, **F-Secure**, **Kaspersky**, **McAfee**, **Microsoft**, **Symantec**, Sygate Technologies, and **Trend Micro** by scanning the Windows Registry. The presence of Sygate Technologies, acquired by Symantec (now part of **Broadcom**) in August 2005, further indicates the sample's age. "For tooling of this age, that level of environmental awareness is notable," SentinelOne noted. "While the list of products may not seem comprehensive, it likely reflects the products the operators expected to be present in their target networks whose detection technology would threaten the stealthiness of a covert operation." The ConnotifyDLL is invoked upon establishing new network connections using the Remote Access Service (**RAS**), writing remote and local connection names to a named pipe ("\\.\pipe\p577"). ### Precision Sabotage Through Kernel Driver The kernel driver is responsible for precision sabotage. It targets executables compiled with the Intel C/C++ compiler, performing rule-based patching and injecting malicious code. This includes corrupting mathematical calculations in tools used in civil engineering, physics, and physical process simulations. "By introducing small but systematic errors into physical‑world calculations, the framework could undermine or slow scientific research programs, degrade engineered systems over time, or even contribute to catastrophic damage," SentinelOne explained. "By separating a relatively stable execution wrapper from encrypted, task-specific payloads, the developers created a reusable, compartmentalized framework that they could adapt to different target environments and operational objectives while leaving the outer carrier binary largely unchanged across campaigns." Analysis suggests that three high-precision engineering and simulation suites may have been targeted: LS-DYNA 970, PKPM, and the MOHID hydrodynamic modeling platform. **LS-DYNA**, now part of the **Ansys** Suite, is a multi-physics simulation software used for simulating crashes, impacts, and explosions. In September 2024, the Institute for Science and International Security (ISIS) released a report detailing possible violations.