Researchers Uncover Pre-Stuxnet Malware That Tampered With Engineering Calculations

Cybersecurity researchers at SentinelOne have discovered a previously undocumented malware framework that predates the notorious Stuxnet worm The malware, codenamed fast16, dates back to 2005 and represents the first known strain of Windows malware to embed a Lua engine, according to a report published this week. SentinelOne said the framework primarily targeted calculation software used in civil engineering, physics, and physical process simulations, aiming to introduce small but systematic errors into results. The discovery began with an artifact named "svcmgmt.exe" uploaded to VirusTotal in 2016. The file carried a creation timestamp of August 30, 2005, and appeared at first to be a generic service wrapper. Deeper analysis revealed an embedded Lua 5.0 virtual machine, an encrypted The implant's core logic resides in Lua The malware includes a self-propagation mechanism that scans for network servers and spreads to other Windows 2000/XP environments with weak or default credentials. It also checks for security products from vendors including Kaspersky, McAfee, Microsoft, and Symantec before deploying. SentinelOne uncovered a reference to the string "fast16" in a text file leaked Based on analysis of 101 rules in the patching engine, researchers assess that three engineering suites may have been targets: LS-DYNA 970, PKPM, and the MOHID hydrodynamic modeling platform. LS-DYNA is a multi-physics simulation tool used for modeling crashes, impacts, and explosions. The finding forces a re-evaluation of the historical timeline for clandestine cyber sabotage operations, SentinelOne said. It shows that state-backed cyber sabotage tooling against physical targets had been fully developed and deployed