Researchers find cyber-sabotage malware that may predate Stuxnet by five years
(2026/04/24)
- Reference: 1777013782
- News link: https://www.theregister.co.uk/2026/04/24/fast16_sabotage_malware/
- Source link:
Black Hat Asia Infosec outfit SentinelOne found malware that tries to induce errors in engineering and physics simulation software and therefore represents an attempt at sabotage, and suggests it was created years before the Stuxnet worm that aimed to destroy Iran’s uranium enrichment centrifuges.
The company’s Vitaly Kamluk discussed the malware in a talk at the Black Hat Asia conference today. SentinelOne has also published a [1]blog post about the malware.
Kamluk told the conference the discovery came about after he wondered if known nation-state-espionage tools like Flame, Animal Farm, and Project Sauron were the first of their kind. All three shared use of the Lua language and virtual machine, so he went looking for similar software.
[2]
That search led to a malware sample uploaded to VirusTotal in 2016 that includes a reference to “fast16”.
[3]
[4]
Kamluk’s analysis of the sample suggested the techniques its developers employed were not typical of 2016-era malware. SentinelOne researchers also recalled that the infamous [5]ShadowBroker malware trove that appeared in 2016 and which was later linked to the United States National Security Agency, contained a reference to fast16.
SentinelOne thinks fast16 came into existence around 2005, based on clues in the code and the fact it won’t run on anything more recent than Windows XP – and even then only on a single-core CPU. Intel shipped its first multi-core consumer CPUs in 2006.
[6]
The researchers analyzed the sample and found it tries to install a worm and deploy a driver called fast16.sys.
Claude chokes Kamluk used Claude to analyze fast16, and said at one point the AI choked on the job and repeatedly failed to produce a report he asked it to write.
The researcher asked Claude why it couldn’t finish the job, and it produced paragraphs of introspective explanation, berating itself for not being fast enough to help its polite user and urging itself to just finish the job.
The chatbot eventually did, and suggested “Whoever built this had intimate knowledge of the target binary” and that the most likely intention of whoever developed the malware was “industrial sabotage.”
Kamluk said the strange Claude session shows infosec experts won’t be replaced by AI any time soon.
The driver includes a routine that alters the output of floating-point calculations and also goes looking for “precision calculation tools in specialised domains such as civil engineering, physics and physical process simulations.”
The researchers think fast16 targeted three high-precision engineering and simulation suites that were used in the mid-2000s: “LS-DYNA 970, PKPM, and the MOHID hydrodynamic modeling platform, all used for scenarios like crash testing, structural analysis, and environmental modeling.”
Iran is thought to have used LS-DYNA in its nuclear weapons program.
Kamluk hypothesized that fast16’s purpose was to cause errors in calculations run by engineering simulation software, perhaps leading to real-world problems. And he asserted that fast16 was a cyberweapon that preceded Stuxnet by five years.
[7]Funding for program to stop next Stuxnet from hitting US expired Sunday
[8]Weak security means attackers could disable all of a city's public EV chargers
[9]EV charger biz ELECQ zapped by ransomware crooks, customer contact data stolen
[10]Hybrid clouds have two attack surfaces and you’re not paying enough attention to either
“In the broader picture of APT evolution, fast16 bridges the gap between early, largely invisible development programs and later, more widely documented Lua‑ and LuaJIT‑based toolkits,” Kamluk wrote with SentinelOne colleague Juan Andrés Guerrero-Saade.
“It is a reference point for understanding how advanced actors think about long‑term implants, sabotage, and a state’s ability to reshape the physical world through software. fast16 was the silent harbinger of a new form of statecraft, successful in its covertness until today.”
[11]
In his talk, Kamluk said he’s disclosed his work to the vendors of the engineering applications fast16 targets, because he feels they may want to check the output of their products for evidence that the malware produced incorrect calculations.
“Maybe there are more discoveries to come?” he concluded.
Kamluk tearfully dedicated his talk to friend and colleague Sergey Mineev, who he said was responsible for finding many enormously significant APTs, without seeking attention for the significance of his work, and passed away in March. ®
Get our [12]Tech Resources
[1] https://www.sentinelone.com/labs/fast16-mystery-shadowbrokers-reference-reveals-high-precision-software-sabotage-5-years-before-stuxnet/
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aes_QF8dIjNa4meQc3iVFgAAAME&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aes_QF8dIjNa4meQc3iVFgAAAME&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aes_QF8dIjNa4meQc3iVFgAAAME&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://www.theregister.com/2016/08/19/snowden_docs_shadow_brokers_nsa_exploits/
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aes_QF8dIjNa4meQc3iVFgAAAME&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[7] https://www.theregister.com/2025/07/22/lapsed_cisa_funding_cybersentry/
[8] https://www.theregister.com/2026/04/24/rentable_iot_security_flaws/
[9] https://www.theregister.com/2026/03/09/ransomware_crooks_hit_ev_charger/
[10] https://www.theregister.com/2026/04/23/wac_flaws_hybrid_cloud_security/
[11] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aes_QF8dIjNa4meQc3iVFgAAAME&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[12] https://whitepapers.theregister.com/
The company’s Vitaly Kamluk discussed the malware in a talk at the Black Hat Asia conference today. SentinelOne has also published a [1]blog post about the malware.
Kamluk told the conference the discovery came about after he wondered if known nation-state-espionage tools like Flame, Animal Farm, and Project Sauron were the first of their kind. All three shared use of the Lua language and virtual machine, so he went looking for similar software.
[2]
That search led to a malware sample uploaded to VirusTotal in 2016 that includes a reference to “fast16”.
[3]
[4]
Kamluk’s analysis of the sample suggested the techniques its developers employed were not typical of 2016-era malware. SentinelOne researchers also recalled that the infamous [5]ShadowBroker malware trove that appeared in 2016 and which was later linked to the United States National Security Agency, contained a reference to fast16.
SentinelOne thinks fast16 came into existence around 2005, based on clues in the code and the fact it won’t run on anything more recent than Windows XP – and even then only on a single-core CPU. Intel shipped its first multi-core consumer CPUs in 2006.
[6]
The researchers analyzed the sample and found it tries to install a worm and deploy a driver called fast16.sys.
Claude chokes Kamluk used Claude to analyze fast16, and said at one point the AI choked on the job and repeatedly failed to produce a report he asked it to write.
The researcher asked Claude why it couldn’t finish the job, and it produced paragraphs of introspective explanation, berating itself for not being fast enough to help its polite user and urging itself to just finish the job.
The chatbot eventually did, and suggested “Whoever built this had intimate knowledge of the target binary” and that the most likely intention of whoever developed the malware was “industrial sabotage.”
Kamluk said the strange Claude session shows infosec experts won’t be replaced by AI any time soon.
The driver includes a routine that alters the output of floating-point calculations and also goes looking for “precision calculation tools in specialised domains such as civil engineering, physics and physical process simulations.”
The researchers think fast16 targeted three high-precision engineering and simulation suites that were used in the mid-2000s: “LS-DYNA 970, PKPM, and the MOHID hydrodynamic modeling platform, all used for scenarios like crash testing, structural analysis, and environmental modeling.”
Iran is thought to have used LS-DYNA in its nuclear weapons program.
Kamluk hypothesized that fast16’s purpose was to cause errors in calculations run by engineering simulation software, perhaps leading to real-world problems. And he asserted that fast16 was a cyberweapon that preceded Stuxnet by five years.
[7]Funding for program to stop next Stuxnet from hitting US expired Sunday
[8]Weak security means attackers could disable all of a city's public EV chargers
[9]EV charger biz ELECQ zapped by ransomware crooks, customer contact data stolen
[10]Hybrid clouds have two attack surfaces and you’re not paying enough attention to either
“In the broader picture of APT evolution, fast16 bridges the gap between early, largely invisible development programs and later, more widely documented Lua‑ and LuaJIT‑based toolkits,” Kamluk wrote with SentinelOne colleague Juan Andrés Guerrero-Saade.
“It is a reference point for understanding how advanced actors think about long‑term implants, sabotage, and a state’s ability to reshape the physical world through software. fast16 was the silent harbinger of a new form of statecraft, successful in its covertness until today.”
[11]
In his talk, Kamluk said he’s disclosed his work to the vendors of the engineering applications fast16 targets, because he feels they may want to check the output of their products for evidence that the malware produced incorrect calculations.
“Maybe there are more discoveries to come?” he concluded.
Kamluk tearfully dedicated his talk to friend and colleague Sergey Mineev, who he said was responsible for finding many enormously significant APTs, without seeking attention for the significance of his work, and passed away in March. ®
Get our [12]Tech Resources
[1] https://www.sentinelone.com/labs/fast16-mystery-shadowbrokers-reference-reveals-high-precision-software-sabotage-5-years-before-stuxnet/
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aes_QF8dIjNa4meQc3iVFgAAAME&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aes_QF8dIjNa4meQc3iVFgAAAME&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aes_QF8dIjNa4meQc3iVFgAAAME&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://www.theregister.com/2016/08/19/snowden_docs_shadow_brokers_nsa_exploits/
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aes_QF8dIjNa4meQc3iVFgAAAME&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[7] https://www.theregister.com/2025/07/22/lapsed_cisa_funding_cybersentry/
[8] https://www.theregister.com/2026/04/24/rentable_iot_security_flaws/
[9] https://www.theregister.com/2026/03/09/ransomware_crooks_hit_ev_charger/
[10] https://www.theregister.com/2026/04/23/wac_flaws_hybrid_cloud_security/
[11] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aes_QF8dIjNa4meQc3iVFgAAAME&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[12] https://whitepapers.theregister.com/
TheMaskedMan
Interesting. Claude is made by Anthropic, who, until their recent spat, was deeply involved with the US govt in security / military matters. Could it be that it's trained to fudge up such an analysis? From the very brief description of Claude's behaviour above, it sounds remarkably like behaviour of an LLM trained to produce an answer that it "knows" to be false, as recently reported elsewhere. Just sayin.
Stuxnet
It doesn't seem to have been widely reported (and I see no mention now in the Wikipedia page) but a reasonably wide-ranging BBC docu with credible-sounding-but-impossible-to-verify sources a few years back concluded that Stuxnet was chiefly US-designed and funded but deployed by and therefore under the control of Israeli agents. The US urged restraining the sabotage to avoid alerting Iranians to the possibility that centrifuge failures had malicious cause. The Israelis, so the story goes, after some back-and-forth defied the US and dialled up the failures which lead to the Iranians becoming very suspicious. I don't remember whether there was any evidence those suspicions significantly pre-dated or lead to the wider Stuxnet infections that ultimately blew it's cover, but I remember several US-cyber sources being very pissed off.
All this to say: If US doctrine at the time favoured highly-covert sabotage then going after simulation software and that only coming to light now seems reasonably plausible. It was such an eye-watering jump to targetting centrifuges so specifically that it's easy to believe there was some kind of precedent.