Fast16 Malware Reverse-Engineering: State-Sponsored Computation Sabotage Analysis

Fast16 is a state-sponsored malware framework, newly reverse-engineered by SentinelOne researchers in April 2026, that silently manipulated scientific computation outputs — an integrity sabotage approach that makes it unlike any previously documented nation-state tool. Compilation timestamps embedded in its binaries place Fast16’s origin in mid-2005, making it the earliest US-attributed cyber-sabotage implant on record, predating Stuxnet by at least five years. Rather than destroying data or damaging hardware directly, Fast16 corrupted the floating-point arithmetic inside high-precision engineering simulation software, causing calculation errors that could cascade from flawed research results to catastrophic equipment failures. Its designated target: Iranian scientific and engineering infrastructure.

The Discovery: SentinelOne’s Reverse Engineering of Fast16 Malware

The thread that led to Fast16’s discovery was hiding in plain sight for nearly a decade. The infamous ShadowBrokers data dumps of 2016–2017 — a series of leaks that exposed alleged NSA Equation Group tools and included exploits like EternalBlue (later repurposed in WannaCry and NotPetya) — contained a file called drv_list.txt. The file is a deconfliction registry: a list of kernel-level drivers associated with US intelligence community implants, maintained so that separate operations do not accidentally disrupt each other’s tools.

Fast16 appears in that list with the annotation: "fast16 Nothing to see here – carry on ". The “nothing to see here” language is standard operational security (OPSEC) shorthand for an active or archived friendly implant that other operators should leave untouched.

SentinelOne pulled that thread. Researchers located the Fast16 samples on VirusTotal — the cloud-based malware scanning service that allows researchers to upload and analyse suspicious files — where the binaries had sat since 2010 with minimal antivirus detection. A full architectural reverse engineering produced the most detailed public analysis of a pre-Stuxnet US cyber-sabotage tool to date.

PE (Portable Executable — the binary file format used by Windows programs) header timestamps extracted from the three components confirm a mid-2005 development window:

| Component | Compiled | |—|—| | svcmgmt.dll | June 6, 2005 | | fast16.sys | July 19, 2005 | | svcmgmt.exe | August 30, 2005 |

Stuxnet — the joint US-Israeli digital weapon that physically destroyed Iranian uranium enrichment centrifuges at Natanz — is believed to have been deployed around 2007–2009 and was not publicly discovered until June 2010. Fast16 precedes it by approximately five years and represents a conceptually distinct strategy: integrity sabotage rather than kinetic destruction.

Fast16’s Three-Component Architecture

The malware is a modular framework built around three discrete components, each serving a specific function in the attack chain.

svcmgmt.exe — The Lua-Powered Carrier

The primary loader (svcmgmt.exe, 315,392 bytes) contains an embedded Lua 5.0 virtual machine — a lightweight scripting language more typically found in game engines and embedded applications, but highly unusual in 2005-era malware. The carrier unpacks an encrypted bytecode container at the service entry point. This container holds the propagation logic and driver coordination code.

This architecture deliberately separates a stable, rarely changing execution wrapper from an encrypted, mission-specific payload — giving operators the ability to update objectives without recompiling the full dropper. The design sophistication was not common in commodity malware of that era and points to a well-resourced development team.

The carrier registers under the Windows service name SvcMgmt — a deliberate masquerade as legitimate service management software, consistent with MITRE ATT&CK T1036 (Masquerading — the technique of disguising malicious components as legitimate system processes to avoid analyst suspicion). Lua bytecode payloads can be identified by their magic byte sequence 1B 4C 75 61 at the start of the payload container.

fast16.sys — The Kernel Filesystem Driver

The kernel driver (fast16.sys, 44,580 bytes) is the precision sabotage engine at the heart of the framework. It installs as a boot-start filesystem filter driver (Type=2, Start=0) — meaning it loads before most other software and persists across system reboots without user interaction.

The driver performs the following operations at the kernel level (the most privileged execution layer of the operating system, below which no software restrictions apply):

• Registers via IoRegisterFsRegistrationChange to attach to every filesystem volume — NTFS, FAT, and MRxSMB (the redirector for network file shares) — as each volume mounts
• Intercepts IRP_MJ_CREATE, IRP_MJ_READ, and IRP_MJ_CLOSE operations (IRP stands for I/O Request Packet — the data structure Windows uses to pass file system commands between drivers and applications)
• Disables the Windows Prefetcher (a performance feature that caches frequently accessed files) by modifying its registry configuration, forcing all executable code-page loads through the filesystem stack where the driver can intercept them in real time
• Exposes an internal device at \Device\fast16 with a non-standard DeviceType value of 0xA57C, which has no known legitimate use
• Delays full activation until explorer.exe has started, reducing anomalous activity during the boot sequence

The driver’s PDB (Program Database — a debug symbol file that maps binary addresses to source code locations) path is C:\buildy\driver\fd\i386\fast16.pdb, revealing the development system’s build directory name. The presence of @(#) — an archaic SCCS/RCS source control annotation convention originating from Unix systems — in the Windows kernel driver code hints at a cross-platform development environment, another unusual artefact for 2005-era Windows malware.

svcmgmt.dll — The Reporting Component

The third component (svcmgmt.dll, 45,056 bytes) handles user-mode coordination and reporting, bridging the kernel driver’s in-memory patching activity with operator-facing infrastructure. The precise telemetry mechanism — whether it communicated over the network or stored results locally — has not been fully documented in SentinelOne’s published analysis.

How Fast16 Spreads: The SCM Wormlet

Fast16 propagates laterally across Windows networks using a self-replication mechanism SentinelOne calls the “SCM wormlet.” SCM stands for the Windows Service Control Manager — the subsystem responsible for starting, stopping, and managing system services. The wormlet uses three techniques:

• SMB share exploitation: Copies malware components to remote machines via Windows ADMIN$ administrative shares. ADMIN$ is a hidden network share that exposes the C:\Windows directory to users with local administrator credentials, commonly left enabled by default on Windows 2000 and XP in enterprise environments.
• Weak credential exploitation: Attempts default and common administrative passwords to authenticate against remote hosts, consistent with MITRE ATT&CK T1078 (Valid Accounts — using legitimate credentials, whether stolen or guessed, to authenticate to systems).
• SCM API abuse: Uses legitimate Windows Service Control Manager API calls to install and start the SvcMgmt service on each newly reached host, mirroring MITRE ATT&CK T1543.003 (Create or Modify System Process: Windows Service).

Before propagating, the wormlet performs an environmental sweep of 17 registry keys associated with security products from Agnitum, F-Secure, Kaspersky, McAfee, Microsoft, Symantec, Sygate Technologies, and Trend Micro. If any monitored product is detected, propagation halts entirely. Monitored keys include:

HKLM\SOFTWARE\Symantec\InstalledApps
HKLM\SOFTWARE\Zone Labs\TrueVector
HKLM\SOFTWARE\F-Secure
HKLM\SOFTWARE\McAfee.com\Personal Firewall
HKLM\SOFTWARE\KasperskyLab\InstalledProducts\Kaspersky Anti-Hacker

This security-awareness makes Fast16 significantly stealthier than indiscriminate worms: it actively avoids machines where its activity might be logged or flagged. The malware is constrained to Windows 2000 and Windows XP — it does not run on Windows 7 or later — reflecting its mid-2000s development origin and the environment it was designed to operate in.

The Computation Sabotage Engine: How Fast16 Corrupts Scientific Results

The most technically distinctive element of Fast16 is its sabotage payload — a 101-rule pattern-matching engine embedded in fast16.sys that intercepts executable file reads and surgically modifies calculation logic in memory before it reaches the CPU.

Target selection uses two criteria applied to every .EXE file accessed on the system:

• The filename ends with .EXE
• A printable ASCII string beginning with Intel appears immediately after the last PE section header in the file

The second criterion is a fingerprint for executables compiled with the Intel C/C++ Compiler (ICC) — the dominant high-performance compiler for scientific and engineering applications in the mid-2000s, which routinely placed compiler metadata strings in the PE header region. Fast16 exploited this compiler artefact to identify high-value calculation targets without needing to know their filenames in advance.

Once a matching executable is identified, the 101-rule dispatch engine applies targeted code modifications by injecting FPU instructions — instructions that operate on the x86 processor’s dedicated Floating Point Unit, the hardware subsystem responsible for arithmetic on decimal (non-integer) numbers. These injections specifically target precision arithmetic operations and value-scaling code inside internal computation arrays.

The result is corrupted floating-point arithmetic: calculations complete successfully, produce valid-looking output files, and generate no error messages — but the numerical results are subtly wrong. In crash simulation software like LS-DYNA, this might mean a structural failure threshold that is several percent too optimistic or too pessimistic. In hydrodynamic modeling, it could mean a contamination plume model that predicts the wrong dispersion path for substances released into a water system.

This is the operational genius of Fast16: the victim has no indication they are a victim. The software runs. The results are produced. The corruption lives only in floating-point precision, invisible without independent ground-truth validation.

Target Software: LS-DYNA, PKPM, and MOHID

SentinelOne’s analysis identified three high-precision engineering and simulation packages as Fast16’s probable targets, selected based on the 101 patching rules embedded in the driver. All three were in use in Iran and its regional engineering ecosystem during the mid-2000s:

| Software | Domain | Use Cases | |—|—|—| | LS-DYNA 970 | Structural/impact simulation | Crash testing, explosive deformation, ballistic analysis, explosive blast modeling | | PKPM | Civil/structural engineering | Building design, structural analysis (SATWE finite-element engine) | | MOHID | Hydrodynamic water modeling | Water system dynamics, contamination dispersal, environmental impact modeling |

LS-DYNA 970 (now part of Ansys) is a finite element analysis solver widely used for simulating explosive detonations, high-velocity projectile impacts, and structural collapse — making it directly relevant to weapons research and facilities engineering. A compromised LS-DYNA producing subtly incorrect blast modeling outputs could lead to engineering designs that either fail under real-world conditions or are so over-engineered they become impractical.

PKPM (developed by the China Academy of Building Research) was and remains widely deployed across Iran and the Middle East for civil engineering design. Corrupted structural analysis outputs could affect building designs in ways that only manifest during physical stress testing — or during an actual seismic event.

MOHID is an open-source hydrodynamic platform developed by the Instituto Superior Técnico in Lisbon, used for modeling behavior of water bodies including dispersion of dissolved substances. Corrupted MOHID outputs could produce incorrect predictions for contamination scenarios in water systems or cooling water behavior in nuclear facilities.

The combination suggests Fast16’s operators were targeting Iranian military research, advanced engineering programs, and potentially nuclear facility simulation infrastructure — not general IT systems.

The ShadowBrokers Connection and Attribution

The NSA’s Equation Group is widely regarded as the US intelligence community’s premier offensive cyber unit and the developer of the most sophisticated implant frameworks publicly known, including DoubleFantasy, EquationDrug, and GrayFish. The April 2017 “Lost in Translation” ShadowBrokers dump — which included the EternalBlue exploit later repurposed in WannaCry — contained drv_list.txt, a deconfliction registry of kernel-level drivers.

Fast16 appears in that registry with the entry: "fast16 Nothing to see here – carry on ". In intelligence operations, deconfliction files like this prevent different operators from inadvertently disrupting friendly implants already installed on shared target infrastructure. The explicit dismissal language is consistent with NSA OPSEC annotations for archived or active tools that should not be investigated or removed.

This link does not constitute conclusive proof of NSA authorship. Attribution in state-sponsored cyber operations is rarely absolute. However, the convergence of the 2005 compilation timestamps, the Iranian engineering software targeting, and the explicit Equation Group deconfliction reference represents strong circumstantial evidence. SentinelOne assesses Fast16 as US-attributed and estimates its deployment around 2005 — consistent with the early phase of US offensive cyber operations against Iranian nuclear and scientific programs that would later produce Stuxnet.

MITRE ATT&CK Mapping

MITRE ATT&CK is an industry-standard adversary behaviour framework cataloguing the tactics, techniques, and procedures (TTPs) used by threat actors. Each technique has a T-number identifier.

| Technique | ID | Fast16 Implementation | |—|—|—| | Masquerading | T1036 | svcmgmt.exe disguised as Windows service management | | Create or Modify System Process: Windows Service | T1543.003 | SvcMgmt service installation for persistence | | Boot or Logon Autostart Execution | T1547 | Boot-start kernel driver loaded before OS userland | | Hijack Execution Flow | T1574 | Filesystem driver intercepts executable reads mid-flight | | Remote Services: SMB/Windows Admin Shares | T1021.002 | Propagation via ADMIN$ share | | Valid Accounts | T1078 | Weak/default credential exploitation during worm propagation | | Impair Defenses: Disable or Modify Tools | T1562.001 | AV registry key detection halts propagation | | Stored Data Manipulation | T1565.001 | FPU instruction injection corrupts calculation outputs | | Disable or Modify System Firewall | T1562.004 | Prefetcher registry modification redirects file I/O |

Indicators of Compromise

The following IOCs (Indicators of Compromise — specific artifacts like file hashes, paths, and network identifiers that confirm malware presence) are sourced directly from SentinelOne’s published analysis. Fast16 targets Windows 2000/XP environments; these IOCs have forensic value for investigating archived disk images, legacy air-gapped systems, and historical incident data.

File Hashes

| File | MD5 | SHA256 | |—|—|—| | svcmgmt.exe | dbe51eabebf9d4ef9581ef99844a2944 | 9a10e1faa86a5d39417cae44da5adf38824dfb9a16432e34df766aa1dc9e3525 | | fast16.sys | 0ff6abe0252d4f37a196a1231fae5f26 | 07c69fc33271cf5a2ce03ac1fed7a3b16357aec093c5bf9ef61fbfa4348d0529 | | svcmgmt.dll | 410eddfc19de44249897986ecc8ac449 | 8fcb4d3d4df61719ee3da98241393779290e0efcd88a49e363e2a2dfbc04dae9 |

Named Pipe

\\.\pipe\p577

PDB (Debug Symbol) Path

C:\buildy\driver\fd\i386\fast16.pdb

Windows Service

Service Name: SvcMgmt

Lua Bytecode Magic Bytes (hex)

1B 4C 75 61

Device Interface

Device: \Device\fast16
DeviceType: 0xA57C

Detection and Defensive Telemetry

Detecting Fast16 on a live system was difficult by design — it was engineered years before modern EDR (Endpoint Detection and Response — platforms that monitor process, network, and file activity at the endpoint to detect and respond to threats) platforms existed. For defenders conducting forensic analysis of legacy systems, historical incident investigations, or threat hunting research, SentinelOne released four YARA rules (YARA is an open-source pattern-matching tool used by malware analysts to write signatures that identify specific binaries or malware families):

• apt_fast16_carrier: Detects the Lua payload structure, encrypted string patterns, and AV registry enumeration logic in svcmgmt.exe
• apt_fast16_driver: Identifies fast16.sys via PDB path artefacts and API string encoding patterns in the kernel driver
• clean_fast16_patchtarget: Detects the 101-rule patch-target fingerprints present in LS-DYNA, PKPM, and MOHID executables that match Fast16’s selection criteria
• apt_fast16_patch: Identifies injected FPU-based computation corruption code in memory dumps or on-disk images of targeted processes

The rules are available through SentinelOne’s threat intelligence publication.

Behavioral artefacts for forensic hunting in Windows XP/2000 images:

# Filesystem driver anomalies
driver_attachment: [NTFS, FAT, MRxSMB]
device_object_type: 0xA57C  # non-standard, no legitimate use
named_pipe: \\.\pipe\p577

# Registry artefacts
key: HKLM\SYSTEM\CurrentControlSet\Services\SvcMgmt
  # (presence indicates driver installation)
key: HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters
  value: EnablePrefetcher
  expected: 3
  suspicious: 0  # Fast16 zeros this to redirect I/O through its filter

Integrity indicators for simulation software environments:

For defenders in scientific, engineering, or national-security-adjacent environments running high-precision computation software today, the Fast16 case illustrates a class of attack that current tools are not instrumented to catch. Modern integrity monitoring solutions focus on file hash verification and configuration drift — neither catches floating-point arithmetic corruption in in-memory executable patches. Practical recommendations:

• Cross-validate critical simulation outputs: Run the same calculation on an isolated, non-networked machine and compare numerical output files byte-for-byte. Discrepancies in floating-point values that cannot be explained by deterministic differences in the execution environment warrant investigation.
• Monitor kernel driver device registrations: Alert on kernel drivers exposing device objects with non-standard or unrecognised DeviceType values. Legitimate filesystem filter drivers from known vendors have documented DeviceType constants.
• Audit filesystem filter driver attachment: Log all drivers registered via IoRegisterFsRegistrationChange. Unexpected entries — especially ones not matching installed security or backup software — should be investigated.
• Executable load monitoring: Any kernel-mode filter driver reading .EXE files during load operations (outside the normal page-fault path) is anomalous behaviour worth alerting on.

Integrity Attacks vs. Availability Attacks: Why Silent Corruption Is Harder to Catch Than Destruction

To understand why Fast16 is so operationally significant, it helps to position it against the malware categories defenders know best.

Destructive malware — wipers like Lotus Wiper, which destroyed energy infrastructure in Venezuela, or VECT 2.0, which permanently corrupts files above 128 KB — attacks availability. The harm is immediate and unmistakable: files become inaccessible, systems crash, consoles fill with errors, and defenders have clear evidence of an incident. Ransomware announces itself. Even sophisticated wipers leave forensic evidence in the form of corrupted file headers, overwritten sectors, and abrupt process termination logs.

Fast16 attacks integrity — the “I” in the CIA triad (Confidentiality, Integrity, Availability — the three core properties of information security). The targeted software runs to completion. Output files are produced. Logs show clean execution. The simulation results look plausible. The corruption exists only as a numerical shift in floating-point precision, invisible without independent reference data.

For state-sponsored sabotage purposes, this is superior to destruction in several ways:

• Deniability: Corrupted engineering results can always be attributed to software bugs, numerical precision limitations, or user error
• Persistence: The sabotage continues as long as the tool remains installed, affecting every calculation run — not just a one-time destructive event
• Detection resistance: No standard security product monitors floating-point arithmetic correctness; no SIEM (Security Information and Event Management) rule fires on a calculation that returns 1.00003 instead of 1.00000
• Cascading impact: Errors in simulation inputs compound through engineering design cycles, potentially affecting physical infrastructure built from corrupted analysis

This threat model is not historical. A modern equivalent of Fast16 targeting contemporary simulation software — ANSYS, COMSOL, MATLAB, or Abaqus — would evade every commercial EDR and integrity monitoring solution available today. The detection gap Fast16 exposes has not been closed in twenty years.

Conclusion

Fast16 is not simply an archaeological curiosity from the early days of cyber espionage. It is the earliest documented example of state-sponsored computation integrity sabotage — a class of attack that predates Stuxnet by five years and that defenders still have no systematic tooling to detect. SentinelOne’s April 2026 reverse engineering demonstrates both the long operational lifespan of nation-state tooling and the critical value of hunting in historical data sources like VirusTotal archives and intelligence community leak repositories.

Security teams in high-precision scientific research, advanced engineering, and national security-adjacent environments should treat this disclosure as an audit prompt: review what computation integrity monitoring you actually have, cross-validate critical simulation outputs on isolated hardware, and examine kernel driver registrations for non-standard device interfaces. The threat model Fast16 represents is as viable today as it was in 2005 — and far better-resourced adversaries now have access to far more capable tools.

See our analysis of how destructive wipers compare to integrity attacks and our technical deep-dive on VECT 2.0 ransomware wiper mechanics for further context on the full spectrum of state-sponsored destructive techniques. For nation-state malware IOC tracking and detection coverage, see our BlueNoroff analysis.