Researchers at SentinelOne uncovered a previously undocumented Lua-based Windows sabotage framework called fast16 that dates to 2005 and embeds a Lua 5.0 virtual machine with encrypted bytecode. The toolkit used a carrier (svcmgmt.exe), an auxiliary ConnotifyDLL, and a kernel driver (fast16.sys) to intercept and corrupt high-precision calculations and propagate across Windows 2000/XP networks, a finding that predates and recontextualizes later tools like Stuxnet. #fast16 #Stuxnet
Keypoints
- fast16 is a Lua-powered Windows malware framework compiled in 2005 that embeds a Lua 5.0 VM and encrypted bytecode.
- The carrier svcmgmt.exe can run as a service, execute Lua payloads, and deploy three components: Lua bytecode, svcmgmt.dll, and the fast16.sys driver.
- The fast16.sys kernel driver performs rule-based patching of Intel C/C++ compiled executables to corrupt mathematical and simulation results.
- Propagation relied on an SCM wormlet targeting Windows 2000/XP servers with weak credentials and avoided systems with specific security products installed.
- Evidence links fast16 to leaked Equation Group signatures and the Shadow Brokers disclosures, placing state-grade sabotage tooling earlier than previously known.
Read More: https://thehackernews.com/2026/04/researchers-uncover-pre-stuxnet-fast16.html