fast16 exposed: Cyber sabotage malware first teased in NSA leaks could be older than Stuxnet
"This forces a re‑evaluation of the timeline for serious nation-state covert cyber sabotage operations".
When the ShadowBrokers famously leaked a cache of top-secret National Security Agency hacking tools, the data contained a tantalising clue.
The Territorial Dispute (TeDi) dump offered a glimpse of the code the NSA used to monitor and surveil up to 45 nation-state actors.
But it also contained a mysterious evasion signature - a short message telling other state-backed cyber operators to leave it alone - that referred to a driver called fast16 and advised: "Nothing to see here - carry on."
Now, almost a decade after the 2017 leak, researchers from SentinelOne have not only discovered and shed light on this "previously undocumented cyber sabotage framework" but also claimed it predates Stuxnet and strongly hinted that it may have been used against Iran’s nuclear programme.
"fast16 forces a re-evaluation of our historical understanding of the timeline of development for serious covert cyber sabotage operations," wrote Vitaly Kamluk and Juan Andrés Guerrero-Saade of the security firm’s SentinelLABS.
"It is a reference point for understanding how advanced actors think about long-term implants, sabotage, and a state’s ability to reshape the physical world through software. fast16 was the silent harbinger of a new form of statecraft, successful in its covertness until today."
An ancestor of Stuxnet?
The core components of fast16 can be tracked back to 2005, the researchers said, which is the year when development on Stuxnet is believed to have begun. By 2009, this worm had infected computers at Iran’s Natanz Nuclear Facility, causing centrifuges used to enrich uranium to spin so fast that they effectively self-destructed.
SentinelLABS found that fast16.sys targets calculation software, patching code in memory to tamper with results and spread false outputs across an entire facility.
"This 2005 attack is a harbinger for sabotage operations targeting ultra-expensive high-precision computing workloads of national importance like advanced physics, cryptographic, and nuclear research workloads," it wrote.
"fast16… stands as the first operation of its kind."
The investigation into Fast16 started with an "architectural hunch" based on the observation that a "certain tier of apex threat actors" rely on modular embedded scripting engines such as Lua, used in malware families like Flame, Animal Farm (Bunny), PlexingEagle, Flame 2.0, and Project Sauron.
SentinelLABS set out to discover whether the development style using Lua came from the same source.
Binary strings in svcmgmt.exe, a 2005 Windows service binary acting as a malware loader, revealed an embedded Lua VM, encrypted payload and debug path linking it to fast16.sys.
READ MORE: Ex-Lord Mayor “alarmed” over government's response to Atlantic undersea cable risks
Researchers said fast16.sys was "a cut above commodity rootkits" - kernel-level implants used to intercept and manipulate data at the filesystem layer. It operated from deep within the storage stack, giving it control over filesystem input and output and allowing it to selectively patch code based on predefined rules.
A string inside svcmgmt.exe provided the central forensic clue, connecting the leak of NSA tools with a Lua-powered kernel driver "designed for precision sabotage" compiled in 2005.
"The core component of fast16, svcmgmt.exe, functions as a highly adaptable carrier module, changing its operational mode based on command-line arguments," investigators explained.
This carrier was designed to function like a "cluster munition in software form", carrying multiple wormable payloads called "wormlets".
READ MORE: Nation-state actors now behind majority of serious UK incidents, NCSC security chief warns
It can install itself as a Windows service, escalate privileges and spread laterally using standard admin tools like file shares and service control. The worm avoids monitored environments, then replicates across machines, maintaining a light reporting channel.
The payload, fast16.sys, loads at boot as a filesystem driver and intercepts file operations. Using a rule-based engine, it patches executable code in memory, targeting high-precision software and subtly corrupting calculations. The end result is a network-wide compromise where every system produces the same wrong answers.
"The early 2000s saw a large number of network worms," SentinelLABS wrote. "Most were written by enthusiasts, spread quickly, and carried little or no meaningful payload. fast16 originates from the same period but follows a completely different pattern indicative of its provenance as state-level tooling. It’s the first recorded Lua-based network worm, and was built with a highly specific mission."
What was the target of fast16?
The most likely answer to this is Iran, although this cannot be proved for sure.
Pattern matches pointed to three likely targets - LS-DYNA 970, PKPM, and MOHID - which are sophisticated engineering and simulation tools. LS-DYNA, in particular, is understood to have been used in modelling relevant to Iran’s nuclear programme, such as researching explosive payloads.
Unusual version-control strings in the code of fast16.sys and its related components indicate it was built by developers with roots in legacy Unix environments, who are likely to have been a highly experienced team.
These strings were identified in SCCS (Source Code Control System) and RCS (Revision Control System) code from early Unix-based version control tools from the 1970s and 80s used to track changes to code and manage revisions.
"Finding SCCS/RCS artefacts in mid-2000s Windows code is rare," SentinelLABS wrote. "It strongly suggests that the authors of this framework were not typical Windows-only developers.
"Instead, they appear to have been long-term engineers whose culture and toolchain came from older, high-security Unix environments, often associated with government or military-grade work. This detail supports the view that fast16 came from a well-resourced, long-running development program."
READ MORE: Government security leaders are still sharing sensitive information on WhatsApp
Researchers said their work demonstrated that "state-grade cybersabotage against physical targets" was "fully developed and deployed by the mid-2000s", but operated under total secrecy.
They said the discovery shows that embedded scripting, compiler-specific targeting and kernel-level patching formed a unified architecture years ahead of better-known malware, while similarly advanced capabilities likely remained overlooked in old samples without proper context.
The operation carried almost no identifying markers — and for years, it had no public attribution, named campaign or headline incident.
Astonishingly, svcmgmt.exe, the self-propagating service binary that acts as a carrier for the Fast16 framework, was uploaded to VirusTotal nearly a decade ago, yet still receives almost no detections. Just one engine flagged it weakly as malicious, an unusually low profile for malware capable of spreading itself and deploying a high-end sabotage driver.
Until now, when it finally looks as if we’ve learned the truth behind those fateful words: "Nothing to see here - carry on."
