Lua-based Fast16 sabotaging filesystem driver targeting Iranian nuclear program discovered pre-Stuxnet

First reported

27.04.2026 12:10

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

Researchers have uncovered Fast16, a Lua-based sabotage malware with a kernel-mode filesystem driver (fast16.sys) that predates Stuxnet by at least five years, likely active from 2005. The malware, designed to target Windows 2000/XP systems, intercepts and modifies executable code at the filesystem level via a boot-start driver, enabling rule-based patching of running processes. It specifically sabotaged engineering and simulation suites (LS-DYNA 970, PKPM, MOHID) used in Iran’s nuclear program by corrupting calculation routines, introducing systematic errors to degrade research outputs or cause physical damage. Fast16’s Lua 5.0 virtual machine and wormlet payload architecture represent an early example of modular, multi-purpose sabotage malware with environmental awareness to evade detection.

Timeline

27.04.2026 12:10 1 articles · 2h ago

Lua-based Fast16 sabotaging filesystem driver targeting Iranian nuclear program discovered
A previously undocumented Lua-based sabotage malware, Fast16, was identified with a boot-start kernel driver (fast16.sys) that intercepts and modifies executable code at the filesystem level. Active by at least 2005, Fast16 targeted Windows 2000/XP systems running engineering simulation suites (LS-DYNA 970, PKPM, MOHID) used in Iran’s nuclear program, corrupting calculation routines to introduce systematic errors. The malware’s design includes an embedded Lua 5.0 VM and modular ‘wormlet’ payloads, marking it as the first recorded Lua-based network worm and a precursor to later sabotage frameworks.
Show sources

Researchers Identify Fast16 Sabotage Malware That Pre-Dates Stuxnet — www.infosecurity-magazine.com — 27.04.2026 12:10
Open in new tab

Information Snippets

Fast16’s kernel driver (fast16.sys) is a boot-start filesystem component that intercepts and modifies executable code as it is read from disk using an embedded Lua 5.0 VM.
First reported: 27.04.2026 12:10

1 source, 1 article
Show sources
- Researchers Identify Fast16 Sabotage Malware That Pre-Dates Stuxnet — www.infosecurity-magazine.com — 27.04.2026 12:10
The malware targets Windows 2000/XP environments and relies on default or weak admin passwords on file shares for propagation, with environmental checks to avoid specific security software.
First reported: 27.04.2026 12:10

1 source, 1 article
Show sources
- Researchers Identify Fast16 Sabotage Malware That Pre-Dates Stuxnet — www.infosecurity-magazine.com — 27.04.2026 12:10
Fast16 predates Stuxnet (discovered in 2010) by at least five years, with activity dating to 2005, and is the first recorded Lua-based network worm.
First reported: 27.04.2026 12:10

1 source, 1 article
Show sources
- Researchers Identify Fast16 Sabotage Malware That Pre-Dates Stuxnet — www.infosecurity-magazine.com — 27.04.2026 12:10
Targeted software includes LS-DYNA 970 (crash testing/structural analysis), PKPM (structural engineering), and MOHID (hydrodynamic modeling), with LS-DYNA 970 suspected to have been deployed in Iran.
First reported: 27.04.2026 12:10

1 source, 1 article
Show sources
- Researchers Identify Fast16 Sabotage Malware That Pre-Dates Stuxnet — www.infosecurity-magazine.com — 27.04.2026 12:10
The malware’s payload architecture involves modular ‘wormlets’ designed to corrupt calculation routines, introducing small but systematic errors to undermine research programs or degrade engineered systems over time.
First reported: 27.04.2026 12:10

1 source, 1 article
Show sources
- Researchers Identify Fast16 Sabotage Malware That Pre-Dates Stuxnet — www.infosecurity-magazine.com — 27.04.2026 12:10