Researchers at SentinelLabs have uncovered a cyber sabotage tool from 2005 called ‘fast16,’ designed to alter the results of high-precision computing systems. The findings suggest that attacks targeting scientific and research workloads began years earlier than previously believed, well before Stuxnet.
The malware’s key component is a kernel driver named fast16.sys. The driver intercepts programs as they are loaded from disk and modifies their code directly in memory. Instead of crashing systems, it changes how calculations are performed, leading to incorrect (but believable) results.
“fast16.sys selectively targets high-precision calculation software, patching code in memory to tamper with results. By combining this payload with self-propagation mechanisms, the attackers aim to produce equivalent inaccurate calculations across an entire facility,” the report notes.
During research, SentinelLab discovered a file called ‘svcmgmt.exe,’ disguised as a normal Windows service utility, however, it contains an embedded Lua 5.0 virtual machine and encrypted bytecode that controls the malware’s behavior. This makes fast16 the earliest known Windows malware to use Lua, predating similar techniques later seen in Flame malware.
“The early 2000s saw a large number of network worms. Most were written by enthusiasts, spread quickly, and carried little or no meaningful payload. fast16 originates from the same period but follows a completely different pattern indicative of its provenance as state-level tooling. It’s the first recorded Lua-based network worm, and was built with a highly specific mission,” the report further explains.
The framework consists of three main parts: Lua bytecode for configuration and control logic; a helper DLL (svcmgmt.dll); the kernel driver (fast16.sys) that performs code tampering.
It can install itself as a Windows service, deploy the driver, and spread across networks. The spreading mechanism scans for Windows 2000 and XP machines with weak or default passwords. However, it only activates propagation when triggered manually or when common antivirus tools are not detected. It checks the Windows Registry for security products from vendors like Kaspersky, McAfee, Microsoft, and others.
The name “fast16” appears in files leaked by the Shadow Brokers group in 2016, which exposed tools linked to Equation Group, a threat actors believed to be associated with the US National Security Agency (NSA).
Another interesting aspect that points at the malware’s age is that the driver does not work on Windows 7 or newer systems, and it looks for security software that was common in the mid-2000s, including products that were discontinued around that time.
Researchers describe svcmgmt.exe as flexible, able to change how it behaves based on command-line input.
“The FPU patch in fast16.sys was written to corrupt these routines in a controlled way, producing alternative outputs. This moves fast16 out of the realm of generic espionage tooling and into the category of strategic sabotage. By introducing small but systematic errors into physical‑world calculations, the framework could undermine or slow scientific research programs, degrade engineered systems over time or even contribute to catastrophic damage,” SentinelLabs says.