Fast16 Lua-based network worm
Malware Activity
Summary
Hide ▲
Show ▼
Researchers identified fast16, a previously undocumented Lua-based network worm that can silently corrupt high-precision calculations and threaten legacy scientific and engineering systems. The malware was tied to components dating back to 2005 and was described as able to spread by exploiting vulnerabilities in target environments. Its relevance lies in showing an unusually early cyber weapon aimed at sabotaging computational results rather than simply stealing data or causing obvious disruption.
Related Happenings
Major South Korean electronics manufacturer hit by data theft breach
Incident
First: 14.05.2026 00:59
Last: 14.05.2026 00:59
Sources 1
About this happening:
A **major South Korean electronics manufacturer** suffered a **week-long intrusion** in **February 2026**, giving attackers time to conduct **reconnaissance**, **credential theft*...
Major South Korean electronics manufacturer hit by data theft breach
IncidentAbout this happening: A **major South Korean electronics manufacturer** suffered a **week-long intrusion** in **February 2026**, giving attackers time to conduct **reconnaissance**, **credential theft*...
Fast16 analysis reveals a sabotage worm that corrupts high-precision computations
Technical Analysis
First: 27.04.2026 16:09
Last: 27.04.2026 16:09
Sources 1
How related:
A new analysis of the Lua-based fast16 malware has confirmed that it was a cyber sabotage tool designed to tamper with nuclear weapons testing simulations.
About this happening:
Researchers identified **fast16**, a previously undocumented malware framework that can silently corrupt **high-precision computations**, exposing a sabotage method that can under...
Fast16 analysis reveals a sabotage worm that corrupts high-precision computations
Technical AnalysisHow related: A new analysis of the Lua-based fast16 malware has confirmed that it was a cyber sabotage tool designed to tamper with nuclear weapons testing simulations.
About this happening: Researchers identified **fast16**, a previously undocumented malware framework that can silently corrupt **high-precision computations**, exposing a sabotage method that can under...
Fast16 malware framework technical analysis of svcmgmt.exe and fast16.sys
Technical Analysis
First: 27.04.2026 12:10
Last: 27.04.2026 12:10
Sources 1
How related:
The development comes weeks after SentinelOne presented an analysis of fast16, describing it as the first sabotage framework whose components may have developed as early as 2005, predating the earliest known version of Stuxnet (aka Stuxnet 0.5) by two years.
About this happening:
Researchers uncovered **Fast16**, a **2005-era** malware framework that shows how a **Lua-based** implant could sabotage software years before **Stuxnet**. The analysis matters be...
Fast16 malware framework technical analysis of svcmgmt.exe and fast16.sys
Technical AnalysisHow related: The development comes weeks after SentinelOne presented an analysis of fast16, describing it as the first sabotage framework whose components may have developed as early as 2005, predating the earliest known version of Stuxnet (aka Stuxnet 0.5) by two years.
About this happening: Researchers uncovered **Fast16**, a **2005-era** malware framework that shows how a **Lua-based** implant could sabotage software years before **Stuxnet**. The analysis matters be...
Nexcorium Mirai botnet activity on TBK DVR devices
Malware Activity
First: 18.04.2026 09:01
Last: 18.04.2026 09:01
Sources 1
About this happening:
**Nexcorium**, a **Mirai variant**, is now being deployed against **TBK DVR-4104** and **DVR-4216** devices by exploiting **CVE-2024-3721**, turning compromised IoT hardware into...
Nexcorium Mirai botnet activity on TBK DVR devices
Malware ActivityAbout this happening: **Nexcorium**, a **Mirai variant**, is now being deployed against **TBK DVR-4104** and **DVR-4216** devices by exploiting **CVE-2024-3721**, turning compromised IoT hardware into...
Hive0163 extortion and ransomware campaign using ClickFix and malvertising
Campaign
First: 12.03.2026 19:02
Last: 12.03.2026 19:02
Sources 1
About this happening:
Hive0163 is running an **active extortion and ransomware campaign** that expands access and raises the risk of **large-scale data exfiltration**. The operation uses **ClickFix**,...
Hive0163 extortion and ransomware campaign using ClickFix and malvertising
CampaignAbout this happening: Hive0163 is running an **active extortion and ransomware campaign** that expands access and raises the risk of **large-scale data exfiltration**. The operation uses **ClickFix**,...
Timeline
-
27.04.2026 16:09 2 articles · 1mo ago
SentinelOne discloses fast16 as a Lua-based sabotage worm
Technical Analysis UpdateSentinelOne identified fast16 as a previously undocumented malware framework with components dating back to 2005, describing it as the first-ever Lua-based network worm targeting high-precision calculation software and capable of quietly corrupting engineering and scientific outputs with tiny systematic errors. The analysis links likely target software to LS-DYNA 970, PKPM, and the MOHID hydrodynamic modeling platform, notes that the tool runs only on uniprocessor Windows XP systems, and states that published Yara rules can be used to check older systems or data archives for traces of the malware.
Show sources
- 20-Year-Old Malware Rewrites History of Cyber Sabotage — www.darkreading.com — 27.04.2026 16:09
- Pre-Stuxnet Fast16 Malware Tampered with Nuclear Weapons Simulations — thehackernews.com — 18.05.2026 09:46