Find notable cyber news and cases, enriched with sources, timelines, and signals.

Fast16 malware framework technical analysis of svcmgmt.exe and fast16.sys

Technical Analysis
First reported
Last updated
Happening score
H score 22
2 unique sources, 2 articles

Summary

Hide ▲

Researchers uncovered Fast16, a 2005-era malware framework that shows how a Lua-based implant could sabotage software years before Stuxnet. The analysis matters because fast16.sys intercepted filesystem reads and patched executable code on disk, enabling stealthy tampering with engineering outputs. It also targeted Windows 2000/XP and depended on default or weak admin passwords on file shares.

Related Happenings

MacOS.Gaslight AI-analysis evasion malware

Malware Activity
H score22 First: 25.06.2026 19:23 Last: 25.06.2026 19:23 Sources 1

About this happening: The **macOS.Gaslight** malware family now embeds **prompt injection strings** and fake system-failure messages to confuse **AI-assisted malware analysis** tools, risking aborted o...

MacOS.Gaslight prompt-injection technique aimed at AI-assisted triage

Technical Analysis
H score23 First: 24.06.2026 17:00 Last: 24.06.2026 17:00 Sources 1

About this happening: **macOS.Gaslight** is a **Rust-based macOS implant and information stealer** assessed with high confidence as the work of **North Korea-aligned threat actors**. The sample uses **...

Major South Korean electronics manufacturer hit by data theft breach

Incident
H score13 First: 14.05.2026 00:59 Last: 14.05.2026 00:59 Sources 1

About this happening: A **major South Korean electronics manufacturer** suffered a **week-long intrusion** in **February 2026**, giving attackers time to conduct **reconnaissance**, **credential theft*...

Fast16 Lua-based network worm

Malware Activity
H score14 First: 27.04.2026 16:09 Last: 27.04.2026 16:09 Sources 1

How related: Fast16 is crafted such that it will not infect computers that have certain security products installed. It also automatically spreads to other endpoints on the same network, so that any machine that's used to run the simulations will generate the same tampered outputs.

About this happening: Researchers identified **fast16**, a previously undocumented **Lua-based network worm** that can silently corrupt high-precision calculations and threaten legacy scientific and en...

Fast16 analysis reveals a sabotage worm that corrupts high-precision computations

Technical Analysis
H score22 First: 27.04.2026 16:09 Last: 27.04.2026 16:09 Sources 1

How related: A new analysis of the Lua-based fast16 malware has confirmed that it was a cyber sabotage tool designed to tamper with nuclear weapons testing simulations.

About this happening: Researchers identified **fast16**, a previously undocumented malware framework that can silently corrupt **high-precision computations**, exposing a sabotage method that can under...

Timeline

  1. 27.04.2026 12:10 2 articles · 2mo ago

    SentinelOne identifies Fast16 sabotage malware

    Technical Analysis Update

    SentinelOne researchers Vitaly Kamluk and Juan Andrés Guerrero-Saade identified Fast16, a 2005-era malware family that used an embedded Lua 5.0 VM in svcmgmt.exe and referenced the kernel driver fast16.sys. The analysis says fast16.sys intercepted filesystem I/O with boot-start driver behavior and rule-based code patching, targeted Windows 2000/XP systems that used default or weak admin passwords on file shares, and was designed to corrupt calculation outputs in LS-DYNA 970, PKPM, and the MOHID hydrodynamic modeling platform.

    Show sources