Fast16 malware framework technical analysis of svcmgmt.exe and fast16.sys
Technical Analysis
Summary
Hide ▲
Show ▼
Researchers uncovered Fast16, a 2005-era malware framework that shows how a Lua-based implant could sabotage software years before Stuxnet. The analysis matters because fast16.sys intercepted filesystem reads and patched executable code on disk, enabling stealthy tampering with engineering outputs. It also targeted Windows 2000/XP and depended on default or weak admin passwords on file shares.
Related Happenings
Major South Korean electronics manufacturer hit by data theft breach
Incident
First: 14.05.2026 00:59
Last: 14.05.2026 00:59
Sources 1
About this happening:
A **major South Korean electronics manufacturer** suffered a **week-long intrusion** in **February 2026**, giving attackers time to conduct **reconnaissance**, **credential theft*...
Major South Korean electronics manufacturer hit by data theft breach
IncidentAbout this happening: A **major South Korean electronics manufacturer** suffered a **week-long intrusion** in **February 2026**, giving attackers time to conduct **reconnaissance**, **credential theft*...
Fast16 Lua-based network worm
Malware Activity
First: 27.04.2026 16:09
Last: 27.04.2026 16:09
Sources 1
How related:
Fast16 is crafted such that it will not infect computers that have certain security products installed. It also automatically spreads to other endpoints on the same network, so that any machine that's used to run the simulations will generate the same tampered outputs.
About this happening:
Researchers identified **fast16**, a previously undocumented **Lua-based network worm** that can silently corrupt high-precision calculations and threaten legacy scientific and en...
Fast16 Lua-based network worm
Malware ActivityHow related: Fast16 is crafted such that it will not infect computers that have certain security products installed. It also automatically spreads to other endpoints on the same network, so that any machine that's used to run the simulations will generate the same tampered outputs.
About this happening: Researchers identified **fast16**, a previously undocumented **Lua-based network worm** that can silently corrupt high-precision calculations and threaten legacy scientific and en...
Fast16 analysis reveals a sabotage worm that corrupts high-precision computations
Technical Analysis
First: 27.04.2026 16:09
Last: 27.04.2026 16:09
Sources 1
How related:
A new analysis of the Lua-based fast16 malware has confirmed that it was a cyber sabotage tool designed to tamper with nuclear weapons testing simulations.
About this happening:
Researchers identified **fast16**, a previously undocumented malware framework that can silently corrupt **high-precision computations**, exposing a sabotage method that can under...
Fast16 analysis reveals a sabotage worm that corrupts high-precision computations
Technical AnalysisHow related: A new analysis of the Lua-based fast16 malware has confirmed that it was a cyber sabotage tool designed to tamper with nuclear weapons testing simulations.
About this happening: Researchers identified **fast16**, a previously undocumented malware framework that can silently corrupt **high-precision computations**, exposing a sabotage method that can under...
Mustang Panda multi-country espionage campaign against government and telecom targets
Campaign
First: 28.01.2026 13:40
Last: 28.01.2026 13:40
Sources 1
About this happening:
A **Mustang Panda** espionage campaign targeted **government entities** across **Myanmar, Mongolia, Malaysia, and Russia**, showing sustained multi-country activity from **2021-20...
Mustang Panda multi-country espionage campaign against government and telecom targets
CampaignAbout this happening: A **Mustang Panda** espionage campaign targeted **government entities** across **Myanmar, Mongolia, Malaysia, and Russia**, showing sustained multi-country activity from **2021-20...
Osiris ransomware uses POORTRY BYOVD to disable defenses and exfiltrate data
Malware Activity
First: 22.01.2026 20:00
Last: 22.01.2026 20:00
Sources 1
About this happening:
Researchers disclosed **Osiris**, a **new ransomware family** that hit a **major food service franchisee operator in Southeast Asia** in **November 2025**, showing an active intru...
Osiris ransomware uses POORTRY BYOVD to disable defenses and exfiltrate data
Malware ActivityAbout this happening: Researchers disclosed **Osiris**, a **new ransomware family** that hit a **major food service franchisee operator in Southeast Asia** in **November 2025**, showing an active intru...
Timeline
-
27.04.2026 12:10 2 articles · 1mo ago
SentinelOne identifies Fast16 sabotage malware
Technical Analysis UpdateSentinelOne researchers Vitaly Kamluk and Juan Andrés Guerrero-Saade identified Fast16, a 2005-era malware family that used an embedded Lua 5.0 VM in svcmgmt.exe and referenced the kernel driver fast16.sys. The analysis says fast16.sys intercepted filesystem I/O with boot-start driver behavior and rule-based code patching, targeted Windows 2000/XP systems that used default or weak admin passwords on file shares, and was designed to corrupt calculation outputs in LS-DYNA 970, PKPM, and the MOHID hydrodynamic modeling platform.
Show sources
- Researchers Identify Fast16 Sabotage Malware That Pre-Dates Stuxnet — www.infosecurity-magazine.com — 27.04.2026 12:10
- Pre-Stuxnet Fast16 Malware Tampered with Nuclear Weapons Simulations — thehackernews.com — 18.05.2026 09:46