Fast16 is a long-running sabotage framework that targets LS-DYNA and AUTODYN simulations to manipulate high-explosive and nuclear detonation modeling, especially by altering output values when uranium density reaches critical thresholds. Its installer spreads only within a victim network using service deployment, persistence tricks, and share enumeration, while its hook engine is tailored across multiple software builds to disrupt nuclear weapons research. #Fast16 #LSDYNA #AUTODYN #Stuxnet
Keypoints
- Fast16 is a sabotage framework first publicly analyzed in 2026, with components that may date back to around 2005.
- The malware targets LS-DYNA and AUTODYN, both used for crashworthiness, material modeling, and explosive simulation.
- Its hooks are designed to interfere with high-explosive and nuclear detonation simulations, particularly those involving uranium compression.
- Fast16 checks simulation conditions such as EOS type, density thresholds, and specific strings in memory before tampering with outputs.
- The framework uses multiple tailored hook groups, suggesting it tracked software versions over time and adapted to different builds.
- Fast16 spreads inside a target network through service installation, registry-based persistence, share enumeration, and credential impersonation.
- Defensive guidance includes driver inventory, application control, and endpoint security tools like Symantec Endpoint Security and Carbon Black EDR.
MITRE Techniques
- [T1547.012 ] Boot or Logon Autostart Execution: Image File Execution Options – Fast16 abuses IFEO persistence by writing its path into a Debugger value so Windows launches it instead of the target application (‘writing its own path into the Debugger value under HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution Options’)
- [T1021.002 ] Remote Services: SMB/Windows Admin Shares – Fast16 copies itself to remote admin shares and creates a remote service to run on new hosts (‘copies itself to admin$system32svcmgmt.exe, and creates a remote SvcMgmt service’)
- [T1134.002 ] Access Token Manipulation: Create Process with Token – Fast16 impersonates the locally logged-on user’s credentials before copying itself to remote machines (‘fast16 impersonates the locally logged-on user’s credentials’)
- [T1049 ] System Network Connections Discovery – Fast16 enumerates domains, servers, and shares to find additional remote hosts (‘fast16 enumerates all domains, servers, and shares to discover further remote hosts’)
- [T1001.001 ] Data Obfuscation: Junk Data – Fast16 injects code into a specially created .xdata section and rewrites instruction sequences to hide malicious behavior (‘places a hook to malicious code in an injected .xdata section’)
- [T1569.002 ] System Services: Service Execution – Fast16 installs and runs as a Windows service, including a remote SvcMgmt service (‘registers it as the SvcMgmt service’; ‘creates a remote SvcMgmt service to start execution’)
- [T1055 ] Process Injection – Fast16 patches executable code in memory as files are read and redirects execution to injected handlers (‘patches executable code as it is read from disk’; ‘far-call to injected handler’)
Indicators of Compromise
- [File names] Fast16 components and service files – svcmgmt.exe, svcmgmt.dll, fast16.sys
- [Registry paths] Persistence and service loading – HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution Options, NtfsMetaDataMutex
- [Named pipes] Local reporting channel – .pipep577
- [File system paths] Installation locations – %windir%system32svcmgmt.exe, system drivers folder
- [IP address ranges] Local network filtering used for propagation – 10.x.x.x, 172.16.x.x, 192.168.x.x
- [Security product registry keys] Propagation checks – 18 endpoint security registry keys checked before spreading
Read more: https://www.security.com/threat-intelligence/fast16-nuclear-sabotage