Fast16 malware targets high-value systems
- SentinelLabs disclosed fast16, a previously unknown malware framework from 2005 that patches engineering software in memory to silently corrupt calculations. - Researchers linked fast16 to a Windows XP-era service binary, a fast16.sys kernel driver, and worm-like spread over weak file-share passwords. - The finding pushes cyber-sabotage timelines earlier than Stuxnet and points to physical-process targeting. (sentinelone.com)
Some malware steals files. Fast16 appears built to change the math inside engineering software without alerting the operator. (sentinelone.com) SentinelLabs said in April 2026 that the framework dates to 2005 and includes a service binary, `svcmgmt.exe`, plus a kernel driver named `fast16.sys`. The researchers said the code was designed for Windows 2000 and Windows XP systems. (sentinelone.com) (securityweek.com) The driver intercepts executable reads and patches code in memory, so the target program keeps running while its floating-point calculations are nudged off course. SentinelOne said that approach could produce bad simulation results instead of obvious crashes. (securityweek.com) (theregister.com) The likely targets were high-precision tools used in engineering and physical modeling, including LS-DYNA 970, PKPM, and the MOHID hydrodynamic platform. Those programs are used for jobs such as crash testing, structural analysis, and water-system modeling. (theregister.com) (wired.com) SentinelOne researchers Vitaly Kamluk and Juan Andres Guerrero-Saade said the malware also carried Lua code for configuration, coordination, and propagation. SecurityWeek reported that it moved through Windows file shares using default or weak passwords. (securityweek.com) That makes fast16 different from a typical espionage implant. The apparent goal was not to copy documents, but to make trusted software return false answers that could shape real-world industrial decisions. (sentinelone.com) (wired.com) The discovery also reopens the history of cyber-sabotage. Stuxnet has long been treated as the defining early case, but SentinelOne says fast16 predates Stuxnet by about five years. (darkreading.com) (sentinelone.com) Attribution remains cautious. SecurityWeek said SentinelOne found evidence consistent with U.S. development, and Wired reported the researchers suspect the malware may have been aimed at Iran’s nuclear program, but neither outlet described a public government confirmation. (securityweek.com) (wired.com) One clue came from the Shadow Brokers leak of alleged National Security Agency tools in 2016 and 2017, where researchers found a reference to “fast16.” SentinelOne said that helped connect an old malware sample to a larger offensive ecosystem. (thehackernews.com) (securityweek.com) For defenders, the case shifts the question from data theft to data integrity. If the software that engineers trust can be quietly altered in memory, the wrong answer can be the attack. (sentinelone.com)
