The Fast16 malware platform recently detailed by SentinelOne researchers appears to have been engineered for the manipulation of nuclear weapons simulations inside advanced engineering software used for high-explosive modeling.
SentinelOne traced the framework back to roughly 2005, nearly two years before Stuxnet emerged. The most recent analysis by Symantec linked the malware directly to LS-DYNA and Autodyn, two industrial simulation suites widely used for modeling detonations, material stress, and implosion physics.
According to researchers and cybersecurity reporter Kim Zetter, Fast16 was likely part of a covert campaign targeting Iran’s nuclear weapons research infrastructure during the late 2000s and early 2010s. Unlike Stuxnet, which physically sabotaged centrifuges, Fast16 appears designed to corrupt scientific understanding itself by feeding engineers falsified simulation results.
The malware implements “hook engine,” a rule-based binary patching framework containing 101 opcode-matching signatures. Once deployed, a boot-start filesystem driver intercepts executable files as they are read from disk. If the executable was compiled with the Intel compiler and matches predefined instruction sequences, Fast16 rewrites portions of the code in memory by injecting malicious hooks through a fabricated .xdata section.
“The patterns the rules match against do not match against every Intel-Fortran-compiled, single-precision, explicit-dynamics solver of that era, but are found in versions of LS-DYNA and AUTODYN. These patterns are specific to different versions of the software and some could belong to other simulation programs as well,” Symantec says.
Researchers found the malware selectively targeted high-explosive calculations inside LS-DYNA and Autodyn. The sabotage mechanism only activated when the simulated material density exceeded 30 g/cm³, a threshold associated with uranium under the extreme shock compression generated during nuclear implosion events.
By modifying calculations only under highly specialized physical conditions, Fast16 could quietly distort modeling outputs while remaining invisible during ordinary engineering work.
“One may imagine at different stages of design, the targets were using the current version of the simulation software at that time, to which the attackers devised different tampering methods relative to the simulations being conducted at that time,” the report continues. “In fact, the 101 hook rules can be separated further into 9-10 hook groups, each for a different build of LS-DYNA or AUTODYN.”
The framework’s core service embeds an early Lua 5.0 virtual machine, as well as 13 custom libraries supporting remote service control, registry operations, and lateral movement across Windows networks. For persistence, Fast16 abuses the Windows Image File Execution Options mechanism, hijacking application launches through the Debugger registry value while transparently relaunching the legitimate program to avoid user suspicion.
The malware also installs svcmgmt.dll as a Multiple Provider Router network provider notifyee, allowing it to monitor new network share connections through the named pipe \.pipep577. It simultaneously enumerates domains, servers, and shared resources to identify additional systems inside the target environment.