Fast16: Lua-powered sabotage framework predates Stuxnet by five years

SentinelLABS has identified fast16, a previously undocumented sabotage framework compiled in 2005 that selectively patches high-precision calculation software in memory to corrupt results across an entire facility. The kernel driver fast16.sys sits in the storage stack as a boot-start filesystem filter, intercepting executable code as it’s read from disk and applying rule-based modifications. Paired with a self-propagating carrier, the toolkit was designed to ensure every machine in a target environment produced the same subtly wrong answers — a sabotage model aimed at advanced physics, cryptographic, and nuclear research workloads.

The carrier, svcmgmt.exe, embeds a Lua 5.0 virtual machine extended with a wstring module, a symmetric cipher, and bindings into Windows filesystem, registry, service control, and network APIs. Encrypted Lua bytecode handles configuration and propagation logic, while modular ‘wormlets’ stored inside the binary spread the implant — in the recovered sample, via SMB shares with weak admin credentials on Windows 2000/XP. The architecture predates Flame’s Lua-based modularity by three years and represents the earliest known sophisticated use of an embedded Lua engine in Windows malware.

The forensic link came from a PDB path inside svcmgmt.exe pointing to fast16.sys, which matches the ‘fast16’ entry in the NSA Territorial Dispute deconfliction list leaked by ShadowBrokers in 2017 — flagged with the unusual operator instruction ‘Nothing to see here – carry on.’ The find pushes the timeline of state-grade precision sabotage tooling back at least five years before Stuxnet and ties a 2005 implant directly to operator tradecraft documented over a decade later.