20-Year-Old Malware Rewrites History of Cyber Sabotage TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsСloud SecurityHackers Use AI for Exploit Development, Attack AutomationHackers Use AI for Exploit Development, Attack AutomationbyAlexander CulafiMay 11, 20264 Min ReadСloud SecurityAfter Replacing TeamPCP Malware, 'PCPJack' Steals Cloud SecretsAfter Replacing TeamPCP Malware, 'PCPJack' Steals Cloud SecretsbyNate NelsonMay 7, 20265 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificLatin AmericaSee AllThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsResource LibraryNewslettersPodcastsReportsVideosWebinarsWhite Papers Partner PerspectivesDark Reading Resource LibraryCyber RiskICS/OT SecurityNews20-Year-Old Malware Rewrites History of Cyber SabotageResearchers have uncovered a malware framework dubbed "fast16" that predates Stuxnet by five years.Jai Vijayan,Contributing WriterApril 27, 20264 Min ReadSource: vectorfusionart via ShutterstockResearchers have long considered the Stuxnet attacks on Iran's nuclear centrifuges in Natanz to be the opening chapter of state-sponsored cyber sabotage.As it turns out, at least five years before Stuxnet became public in 2010, somebody had developed an equally potent cyber weapon, one capable of injecting near-imperceptible errors into high-precision mathematical computations to gradually undermine and sabotage systems and applications that rely on their results.Researchers at SentinelOne who discovered the previously undocumented malware framework, which they are tracking as fast16, say it represents the earliest example yet of a cyber tool designed explicitly for sabotaging "ultra expensive high-precision computing workloads of national importance like advanced physics, cryptographic, and nuclear research workloads.""The discovery of fast16 rewrites our understanding of what a cyber weapon can do, as well as when nation-state cyber sabotage operations matured to the level of becoming a serious threat to critical infrastructure," says SentinelOne researcher Vitaly Kamluk in comments to Dark Reading.Related:Research Hub Bridges Cybersecurity Gap for Under-Resourced OrganizationsRewriting Notions of a Cyberweapon Fast16's function was to quietly corrupt mathematical outputs of engineering and scientific software by introducing tiny systematic errors that would be nearly impossible to detect without running independent calculations on a completely separate, uninfected system.SentinelOne likened fast16's delivery mechanism to a "cluster munition" that could drop multiple "wormlets" that would then distribute the main payload to as many machines as possible in a target environment by looking for and exploiting vulnerabilities in them.Fast16 marks a major turning point in the history of cyber weapons, Kamluk says. "Despite its twenty-year vintage, we have yet to discover another malware specifically designed to compromise high-precision mathematical calculations in this way."A Fortunate FindSentinelOne researchers uncovered fast16 while attempting to trace the earliest meaningful use of an embedded Lua VM in Windows malware. Lua is a scripting language that organizations use to extend an application's functionality. SentinelOne had observed how the authors of highly sophisticated malware frameworks such as Flame, Flame 2.0, PlexingEagle, and Project Sauron consistently embedded a Lua scripting engine to add modularity to their tools and wanted to see how far back the practice went.What they discovered was fast16, with components dating back to 2005, well before the earliest known use of Stuxnet, widely regarded as the first known deployment of a cyber weapon in a geopolitical context. Their analysis of fast16 showed it to be the first-ever Lua-based network worm targeting high-precision calculation software.Related:Microsoft Edge Stores Passwords in Process Memory, Posing Enterprise RiskThe name "fast16" appears in a document the ShadowBrokers group leaked in 2016 regarding the National Security Agency's offensive cyber weapons. But SentineOne did not attribute the malware to NSA or any other entity. Remarkably, someone had uploaded the malware to VirusTotal more than a decade ago, where it has remained almost undetected. Only one engine on VirusTotal classifies the tool as generally malicious, but even that is with moderate confidence, SentinelOne said. While that VirusTotal result may appear concerning, Kamluk noted that fast16 "is genuinely an old piece of malware" that only runs in an "environment that is largely obsolete.""Frankly, we believe we were fortunate simply to pick up the trace, as it was surrounded by misleading false vectors that could easily have led other researchers to an incorrect hypothesis without proper validation."Targeted Software SuitesThe researchers identified three software suites that fast16 likely targeted: LS-DYNA 970, PKPM, and the MOHID hydrodynamic modeling platform, all used for scenarios like crash testing, structural analysis, and environmental modeling. SentinelOne identified LS-DYNA as software that Iran is reported to have used in computer modeling relevant to its nuclear weapons development program, suggesting it might have been a target even before Stuxnet.Related:Physical Cargo Theft Gets a Boost From CybercriminalsHowever, researchers are unsure if the authors — most likely state actors — ever deployed the weapon, what its intended targets are, or impact it would have in an actual attack scenario.  "As for geopolitical contexts and nation states, the malware has no specific reference about where it was meant to be deployed," Kamluk says. "The targeted software could pop up anywhere."Still, Kamluk assesses fast16 as likely the work of a nation-state actor. "Patching software that performs high-precision physical process simulation is beyond the scope of a typical developer," he says. "It requires intimate familiarity with the specific subject field to create subtle yet meaningful sabotage alterations."An Attack Vector Remains RelevantConsidering the software's age, it is extremely difficult to know if any organizations fell victim to fast16. So, it is only possible to speculate on the possible outcomes of a fast16 attack. Considering it was written for a different generation of systems, fast16 is incapable of running on modern systems, Kamluk says. The malware runs only on uniprocessor Windows XP systems, an environment that is now largely obsolete. Even in rare instances when such legacy systems persist in old laboratories, installing modern security software on them is often impossible, he notes."[But] the underlying attack vector remains highly relevant. High-precision calculations, whether used in financial trading, AI model training, or various simulation software, could still be the target of a similar, but modernized threat today."SentineOne has published Yara rules that organizations can use to check older systems or data archives."The true significance of the fast16 discovery lies in identifying this novel and unusual cyber sabotage attack vector itself," Kamluk says.About the AuthorJai VijayanContributing WriterJai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.See more from Jai VijayanWant more Dark Reading stories in your Google search results?Add Us NowMore InsightsIndustry ReportsHow Enterprises Are Developing Secure ApplicationsInside RSAC 2026: security leaders reveal the risks redefining your defense strategyHow Enterprises Are Harnessing Emerging Technologies in CybersecurityDitch the Data Center: Understanding Flexible Cloud Infrastructure Security Management2025 State of MalwareAccess More ResearchWebinarsThe New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud WorkspacePrompt Injection Is Just the Start: Securing LLMs in AI SystemsAnatomy of a Data Breach: What to Do if it Happens to YouHow Well Can You See What's in Your Cloud?Implementing CTEM: Beyond Vulnerability ManagementMore WebinarsEditor's ChoiceThreat IntelligenceFrom Stuxnet to ChatGPT: 20 News Events That Shaped CyberFrom Stuxnet to ChatGPT: 20 News Events That Shaped CyberbyDark Reading Editorial TeamMay 6, 202631 Min ReadCyber RiskPhysical Cargo Theft Gets a Boost From CybercriminalsPhysical Cargo Theft Gets a Boost From CybercriminalsbyRobert LemosMay 4, 20265 Min ReadWant more Dark Reading stories in your Google search results?Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeRSAC 2026: key news & insightsAt RSAC 2026, Dark Reading captured critical intelligence on AI, new attack methods, geopolitics, and much moreGet Your RecapWebinarsThe New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud WorkspaceWed, June 24,2026 at 1pm ESTPrompt Injection Is Just the Start: Securing LLMs in AI SystemsTues, May 26, 2026, at 1pm ESTAnatomy of a Data Breach: What to Do if it Happens to YouJune 18th, 2026 | 11:00am -5:00pm ET | Doors Open at 10:30am ETHow Well Can You See What's in Your Cloud?Thurs, June 4, 2026 at 1:00pm ESTImplementing CTEM: Beyond Vulnerability ManagementThurs, May 21, 2026 at 1pm ESTMore WebinarsBlack Hat USA | Mandalay Bay, Las VegasThe premier cybersecurity event of the year returns to Mandalay Bay with a re‑engineered, six‑day program built to ignite innovation, push boundaries, and bring the global security community together like never before. Use code: DARKREADING to save $200 on a Briefings pass or $100 on a Business pass.GET YOUR PASSDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2026 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of UseYour Privacy Choices

Researchers at SentinelOne have uncovered a previously undocumented malware framework dubbed “fast16,” which predates Stuxnet by five years. The discovery significantly alters the understanding of cyber sabotage, particularly regarding nation-state operations. Developed around 2005, fast16 was designed to subtly corrupt mathematical outputs within high-precision engineering and scientific software, a function that, according to SentinelOne researcher Vitaly Kamluk, represents the earliest example of a cyber tool specifically targeting “ultra expensive high-precision computing workloads of national importance.”

The framework’s operational mechanism involved injecting near-imperceptible errors into calculations, a tactic incredibly difficult to detect without independent verification. SentinelOne likened its delivery system to a “cluster munition,” utilizing Lua scripting – a modularity-enhancing language – to spread the payload across a target environment by exploiting vulnerabilities. Jai Vijayan highlights the importance of this finding, noting it marks a major turning point in the history of cyber weapons and the maturation of state-sponsored cyber sabotage.

The malware’s name, “fast16,” originated from a document leaked by the ShadowBrokers group in 2016 concerning the National Security Agency’s offensive cyber weapons. SentinelOne, however, refrained from attributing the malware to any specific entity, emphasizing the age of the tool. Remarkably, fast16 had been uploaded to VirusTotal over a decade ago, and only one engine detected it as generally malicious with moderate confidence. Considering the obsolescence of the operating environment – uniprocessor Windows XP – on which it runs, Kamluk assesses that the malware’s continued presence is more a matter of fortunate discovery than ongoing operational threat.

Despite its age, the underlying attack vector remains relevant. The potential targets of fast16 include software suites like LS-DYNA 970, PKPM, and MOHID, commonly used in crash testing, structural analysis, and hydrodynamic modeling – potentially including Iranian nuclear research programs as suggested by early reports. The significance isn't necessarily the malware's active usage, but rather the revelation of this novel attack vector. Kamluk emphasizes that the ability to manipulate high-precision calculations requires intimate knowledge of subject-specific engineering and scientific disciplines, signaling a level of sophistication beyond typical developer capabilities.

While the exact extent of any potential impact remains uncertain due to the malware's age, SentinelOne has published Yara rules to assist in identifying and mitigating similar threats. The discovery underscores the continued relevance of older malware frameworks and the potential for vulnerabilities exploited in legacy systems.