Two researchers stumble on pre-Stuxnet malware that may have targeted Iran's nuclear program

Published: 27 April 2026
Last updated: 28 April 2026
Iran nuclear program breach is fake
Image by Cybernews.

Two curious Malware analysts SentinelLABs suggests a sophisticated cyber sabotage tool was in use years earlier than previously believed, potentially rewriting the timeline of modern cyber warfare.

For more than a decade, Stuxnet has been regarded as the first example of malware causing physical damage.

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News
Google News Follow us
ADVERTISEMENT

Discovered in 2010, the highly sophisticated computer worm secretly targeted Iran’s nuclear facilities, damaging centrifuges while making the systems appear to operate normally.

Now, researchers at SentinelLabs say they have uncovered evidence of an earlier and largely forgotten operation: a 2005 malware framework known as fast16, which may have been designed to sabotage scientific and engineering calculations linked to sensitive state programs.

According to analysts Vitaly Kamluk and Juan Andrés Guerrero-Saade, fast16 appears to have been developed as a cyber weapon that spread covertly through Windows networks before tampering with the output of advanced simulation software.

Have thoughts about this topic? Others do, too. Join them in the discussion.

Unlike Stuxnet, which directly targeted critical infrastructure machinery, fast16 was designed to interfere with the research and design process.

Researchers say that the malware worked by modifying calculations performed by high-precision engineering programs, introducing subtle errors into code used for structural analysis, physics simulations, and other complex workloads.

Tampering with these calculations could lead to flawed research, degraded systems, or costly design failures without obvious signs of compromise.

ADVERTISEMENT

“Nothing to see here...Carry On"

The discovery began when Kamluk and Guerrero-Saade set out to trace the origins of a technique seen in elite espionage malware families such as Flame and Project Sauron.

Those operations used a built-in scripting system called Lua, allowing attackers to update malware behavior on the spot.

While searching for older malware collections for early Lua use, the researchers found an obscure 2005 file named svcmgmt.exe.

What first appeared to be an ordinary Windows service program turned out to contain encrypted Lua code and references to a second component, fast16.sys.

That name rang a bell because “fast16” had previously surfaced in the 2017 Shadow Brokers leak of stolen National Security Agency (NSA) cyber tools (which is often referred to as “the most detrimental leak in history.”

In leaked files, fast16 appeared on a list of implants operators were told to avoid interfering with, suggesting that it belonged to a trusted or allied intelligence operation.

SentinelLABs suspected there might be something to see here and decided to reverse-engineer the supposedly harmless fast16.

In doing so, they discovered malware capable of spreading across internal networks using legitimate Windows admin tools, which installed a hidden code that loads when the computer starts, and then intercepts the targeted software as it is loaded.

ADVERTISEMENT

It focused on programs compiled with Intel’s software tools and patched them in memory to alter floating-point calculations.

Iran nuclear targets

The report identifies possible target software, including LS-DYA, a powerful simulation tool used for modeling explosions, impacts, and structural damage.

Public reporting has previously linked the use of LS-DYA to studies relevant to Iran’s former AMAD nuclear weapons program.

“LS-DYNA in particular has been cited in public reporting on Iran’s suspected violations of Section T of the JCPOA, in studies of computer modeling relevant to nuclear weapons development," Sentinel writes.

stuxnet-erik
fast16 was a harbinger for sabotage operations targeting ultra-expensive high-precision computing workloads.

While Sentinel stops short of claiming definitive attribution, the researchers argue that the timing, technical sophistication, and later NSA reference strongly suggest that fast16 was a government/military-backed endeavor, widely interpreted as the US or a close ally.

They conclude that the 2005 attack was a harbinger for sabotage operations targeting ultra-expensive high-precision computing workloads of national importance like advanced physics, cryptographic, and nuclear research workloads.

If confirmed, the researchers say the finding would mean that covert cyber-sabotage capabilities were developed well before the mid-2000s – and years before Stuxnet stopped cyberwarfare in its tracks.

Strong password generator

Upgrade the security of your online accounts.
Create strong passwords that are completely random and impossible to guess.
Generated unique password
Ad link_title
Convenient way to secure and use all your passwords. Now 72% OFF!
Get NordPass
ADVERTISEMENT

“It is a reference point for understanding how advanced actors think about long‑term implants, sabotage, and a state’s ability to reshape the physical world through software."

Unlock more exclusive Cybernews content on YouTube.

Share
Post
Share
Share
Share
More from Cybernews
Meta has quietly shipped the technology needed for facial recognition glasses
Hackers getting an easy ride: misconfigured cloud settings behind growing number of data breaches
Anthropic claims AI is too fast and needs to hit the brakes: let’s take it with a pinch of salt
US lawmakers push new bill on AI safety, state law limits, worker protections
Pewdiepie declares war on big tech following the release of his free and local AI workspace
California tech CEO busted for selling forbidden US technology to Iran’s nuclear agency
ADVERTISEMENT
Leave a Reply

Your email address will not be published. Required fields are markedmarked