20-Year-Old Malware Rewrites History of Cyber Sabotage

CYBER RISK ICS/OT SECURITY NEWS 20-Year-Old Malware Rewrites History of Cyber Sabotage Researchers have uncovered a malware framework dubbed "fast16" that predates Stuxnet by five years. Jai Vijayan,Contributing Writer April 27, 2026 4 Min Read SOURCE: VECTORFUSIONART VIA SHUTTERSTOCK Researchers have long considered the Stuxnet attacks on Iran's nuclear centrifuges in Natanz to be the opening chapter of state-sponsored cyber sabotage. As it turns out, at least five years before Stuxnet became public in 2010, somebody had developed an equally potent cyber weapon, one capable of injecting near-imperceptible errors into high-precision mathematical computations to gradually undermine and sabotage systems and applications that rely on their results. Researchers at SentinelOne who discovered the previously undocumented malware framework, which they are tracking as fast16, say it represents the earliest example yet of a cyber tool designed explicitly for sabotaging "ultra expensive high-precision computing workloads of national importance like advanced physics, cryptographic, and nuclear research workloads." "The discovery of fast16 rewrites our understanding of what a cyber weapon can do, as well as when nation-state cyber sabotage operations matured to the level of becoming a serious threat to critical infrastructure," says SentinelOne researcher Vitaly Kamluk in comments to Dark Reading. Related:Parsing Agentic Offensive Security's Existential Threat Rewriting Notions of a Cyberweapon  Fast16's function was to quietly corrupt mathematical outputs of engineering and scientific software by introducing tiny systematic errors that would be nearly impossible to detect without running independent calculations on a completely separate, uninfected system. Loading... SentinelOne likened fast16's delivery mechanism to a "cluster munition" that could drop multiple "wormlets" that would then distribute the main payload to as many machines as possible in a target environment by looking for and exploiting vulnerabilities in them. Fast16 marks a major turning point in the history of cyber weapons, Kamluk says. "Despite its twenty-year vintage, we have yet to discover another malware specifically designed to compromise high-precision mathematical calculations in this way." A Fortunate Find SentinelOne researchers uncovered fast16 while attempting to trace the earliest meaningful use of an embedded Lua VM in Windows malware. Lua is a scripting language that organizations use to extend an application's functionality. SentinelOne had observed how the authors of highly sophisticated malware frameworks such as Flame, Flame 2.0, PlexingEagle, and Project Sauron consistently embedded a Lua scripting engine to add modularity to their tools and wanted to see how far back the practice went. What they discovered was fast16, with components dating back to 2005, well before the earliest known use of Stuxnet, widely regarded as the first known deployment of a cyber weapon in a geopolitical context. Their analysis of fast16 showed it to be the first-ever Lua-based network worm targeting high-precision calculation software. Related:US Busts Myanmar Ring Targeting US Citizens in Financial Fraud The name "fast16" appears in a document the ShadowBrokers group leaked in 2016 regarding the National Security Agency's offensive cyber weapons. But SentineOne did not attribute the malware to NSA or any other entity.  Remarkably, someone had uploaded the malware to VirusTotal more than a decade ago, where it has remained almost undetected. Only one engine on VirusTotal classifies the tool as generally malicious, but even that is with moderate confidence, SentinelOne said. While that VirusTotal result may appear concerning, Kamluk noted that fast16 "is genuinely an old piece of malware" that only runs in an "environment that is largely obsolete." "Frankly, we believe we were fortunate simply to pick up the trace, as it was surrounded by misleading false vectors that could easily have led other researchers to an incorrect hypothesis without proper validation." Targeted Software Suites The researchers identified three software suites that fast16 likely targeted: LS-DYNA 970, PKPM, and the MOHID hydrodynamic modeling platform, all used for scenarios like crash testing, structural analysis, and environmental modeling. SentinelOne identified LS-DYNA as software that Iran is reported to have used in computer modeling relevant to its nuclear weapons development program, suggesting it might have been a target even before Stuxnet. Related:AI Phishing Is No. 1 With a Bullet for Cyberattackers However, researchers are unsure if the authors — most likely state actors — ever deployed the weapon, what its intended targets are, or impact it would have in an actual attack scenario.   "As for geopolitical contexts and nation states, the malware has no specific reference about where it was meant to be deployed," Kamluk says. "The targeted software could pop up anywhere." Still, Kamluk assesses fast16 as likely the work of a nation-state actor. "Patching software that performs high-precision physical process simulation is beyond the scope of a typical developer," he says. "It requires intimate familiarity with the specific subject field to create subtle yet meaningful sabotage alterations." An Attack Vector Remains Relevant Considering the software's age, it is extremely difficult to know if any organizations fell victim to fast16. So, it is only possible to speculate on the possible outcomes of a fast16 attack.  Considering it was written for a different generation of systems, fast16 is incapable of running on modern systems, Kamluk says. The malware runs only on uniprocessor Windows XP systems, an environment that is now largely obsolete. Even in rare instances when such legacy systems persist in old laboratories, installing modern security software on them is often impossible, he notes. "[But] the underlying attack vector remains highly relevant. High-precision calculations, whether used in financial trading, AI model training, or various simulation software, could still be the target of a similar, but modernized threat today." SentineOne has published Yara rules that organizations can use to check older systems or data archives. "The true significance of the fast16 discovery lies in identifying this novel and unusual cyber sabotage attack vector itself," Kamluk says. About the Author Jai Vijayan Contributing Writer Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports The Agentic SOC: Exploring the Practitioner Mindset as AI Permeates SecOps The Total Economic Impact™ Of Google SecOps The Business Value of Google Threat Intelligence The Total Economic Impact™ Of Google SecOps AI-driven SecOps: Transforming Financial Services Security Access More Research Webinars How Well Can You See What's in Your Cloud? Implementing CTEM: Beyond Vulnerability Management Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning Tips for Managing Cloud Security in a Hybrid Environment? Zero Trust Architecture for Cloud environments: Implementation Roadmap More Webinars You May Also Like CYBER RISK How Can CISOs Respond to Ransomware Getting More Violent? by James Doggett JAN 28, 2026 CYBER RISK US Cyber Pros Plead Guilty Over BlackCat Ransomware Activity by Alexander Culafi JAN 05, 2026 CYBER RISK Switching to Offense: US Makes Cyber Strategy Changes by Robert Lemos, Contributing Writer NOV 21, 2025 CYBER RISK Microsoft Exchange 'Under Imminent Threat,' Act Now by Arielle Waldman NOV 12, 2025 Editor's Choice VULNERABILITIES & THREATS EDR-Killer Ecosystem Expansion Requires Stronger BYOVD Defenses byRob Wright APR 14, 2026 8 MIN READ СLOUD SECURITY CSA: CISOs Should Prepare for Post-Mythos Exploit Storm byAlexander Culafi APR 13, 2026 6 MIN READ СLOUD SECURITY Navigating the Unique Security Risks of Asia's Digital Supply Chain byAlexander Culafi APR 15, 2026 3 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Loading... Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars How Well Can You See What's in Your Cloud? THURS, JUNE 4, 2026 AT 1:00PM EST Implementing CTEM: Beyond Vulnerability Management THURS, MAY 21, 2026 AT 1PM EST Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning MON, MAY 11, 2026 AT 1:00PM ET Tips for Managing Cloud Security in a Hybrid Environment? THURS, MAY 7, 2026 AT 1PM EST Zero Trust Architecture for Cloud environments: Implementation Roadmap TUES, MAY 12, 2026 AT 1PM EST More Webinars White Papers 7 best practices for secrets lifecycle management Reinventing the SOC with agentic AI Enhancing SecOps with Google Threat Intelligence Enhancing SecOps with Google Threat Intelligence Enhancing SecOps with Google Threat Intelligence Explore More White Papers BLACK HAT ASIA | MARINA BAY SANDS, SINGAPORE Experience cutting-edge cybersecurity insights in this four-day event featuring expert Briefings on the latest research, Arsenal tool demos, a vibrant Business Hall, networking opportunities, and more. Use code DARKREADING for a Free Business Pass or $200 off a Briefings Pass. GET YOUR PASS