{
	"id": "929dd389-0067-4246-b2f4-1b093a0fde9a",
	"created_at": "2026-05-07T02:42:58.354603Z",
	"updated_at": "2026-05-07T02:44:11.056911Z",
	"deleted_at": null,
	"sha1_hash": "cc8a8134664541c3006bc77eafd6c670f5dd8760",
	"title": "fast16 | Mystery ShadowBrokers Reference Reveals High-Precision Software Sabotage 5 Years Before Stuxnet",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3378016,
	"plain_text": "fast16 | Mystery ShadowBrokers Reference Reveals High-Precision\r\nSoftware Sabotage 5 Years Before Stuxnet\r\nBy Vitaly Kamluk \u0026 Juan Andrés Guerrero-Saade\r\nPublished: 2026-04-23 · Archived: 2026-05-07 02:11:37 UTC\r\nExecutive Summary\r\nSentinelLABS has uncovered a previously undocumented cyber sabotage framework whose core\r\ncomponents date back to 2005, tracked as fast16.\r\nfast16.sys selectively targets high-precision calculation software, patching code in memory to tamper\r\nwith results. By combining this payload with self-propagation mechanisms, the attackers aim to produce\r\nequivalent inaccurate calculations across an entire facility.\r\nThis 2005 attack is a harbinger for sabotage operations targeting ultra expensive high-precision computing\r\nworkloads of national importance like advanced physics, cryptographic, and nuclear research workloads.\r\nfast16 predates Stuxnet by at least five years, and stands as the first operation of its kind. The use of an\r\nembedded customized Lua virtual machine predates the earliest Flame samples by three years.\r\nThe name ‘fast16’ is referenced in the infamous ShadowBrokers’ leak of NSA’s ‘Territorial Dispute’\r\ncomponents. An evasion signature instructs operators: “fast16 *** Nothing to see here – carry on ***”\r\nOverview\r\nOur investigation into fast16 starts with an architectural hunch. A certain tier of apex threat actors has consistently\r\nrelied on embedded scripting engines as a means of modularity. Flame, Animal Farm’s Bunny, ‘PlexingEagle’,\r\nFlame 2.0, and Project Sauron each built platforms around the extensibility and modularity of an embedded Lua\r\nVM. We wanted to determine whether that development style arose from a shared source, so we set out to trace\r\nthe earliest sophisticated use of an embedded Lua engine in Windows malware.\r\nLua is a lightweight scripting language with a native proficiency for extending C/C++ functionality. Given the\r\nappeal of C++ for reliable high-end malware frameworks, this capability is indispensable to avoid having to\r\nrecompile entire implant components to add functionality to already infected machines. We did not find an\r\nindication of direct shared provenance, but our investigation did uncover the oldest instance of this modern attack\r\narchitecture.\r\nLua leaves a distinctive fingerprint. Compiled bytecode containers start with the magic bytes 1B 4C 75 61\r\n( \\x1bLua ), followed by a version byte, and the engine typically exposes a characteristic C API and environment\r\nvariables such as LUA_PATH . Hunting for these traits across mid-2000s malware collections surfaced a sample\r\nthat initially looked unremarkable: svcmgmt.exe .\r\nsvcmgmt.exe | A 2005 Lua-Powered Service Binary\r\nhttps://www.sentinelone.com/labs/fast16-mystery-shadowbrokers-reference-reveals-high-precision-software-sabotage-5-years-before-stuxnet/\r\nPage 1 of 20\n\nOn the surface, svcmgmt.exe appears to be a generic console‑mode service wrapper from the Windows 2000/XP\r\nera.\r\nFilename svcmgmt.exe\r\nFilesize 315,392 bytes\r\nMD5 dbe51eabebf9d4ef9581ef99844a2944\r\nSHA1 de584703c78a60a56028f9834086facd1401b355\r\nSHA256 9a10e1faa86a5d39417cae44da5adf38824dfb9a16432e34df766aa1dc9e3525\r\nType PE32 executable for MS Windows 4.00 (console), Intel i386\r\nLink Time 2005-08-30 18:15:06 UTC\r\nA closer look reveals an embedded Lua 5.0 virtual machine and an encrypted bytecode container unpacked by the\r\nservice entry point.\r\nThe developers extended the Lua environment to include:\r\na wstring module for native unicode handling\r\na built‑in symmetric cipher, exposed through a function commonly labelled b , used to decrypt embedded\r\ndata\r\nmultiple modules that bind directly into Windows NT filesystem, registry, service control, and network\r\nAPIs.\r\nEven by itself, svcmgmt.exe already looks like an early high-end implant, a modular service binary that hands\r\nmost of its logic to encrypted Lua bytecode. The binary includes a crucial detail: a PDB path that links the binary\r\nto the kernel driver fast16.sys .\r\nfast16 | A Nagging Mystery from the ShadowBrokers Leak\r\nBuried in the binary’s strings is a PDB reference:\r\nC:\\buildy\\driver\\fd\\i386\\fast16.pdb\r\nAt first glance, the path is structured like any other compiler artifact: an internal build directory, a component\r\nname (fast16), and an architecture hint (i386). However, in this case there’s a mismatch. The string appears inside\r\nof a service-mode executable, and yet the driver\\fd\\i386\\fast16 segment of the pdb string clearly refers to a\r\nkernel driver project.\r\nFollowing that clue led us to a second binary, fast16.sys :\r\nFilename fast16.sys\r\nhttps://www.sentinelone.com/labs/fast16-mystery-shadowbrokers-reference-reveals-high-precision-software-sabotage-5-years-before-stuxnet/\r\nPage 2 of 20\n\nFilesize 44,580 bytes\r\nMD5 0ff6abe0252d4f37a196a1231fae5f26\r\nSHA256 07c69fc33271cf5a2ce03ac1fed7a3b16357aec093c5bf9ef61fbfa4348d0529\r\nType PE32 executable for MS Windows 5.00 (native), Intel i386, 5 sections\r\nLink Time 2005-07-19 15:15:41 UTC (0x42dd191d)\r\nThis kernel driver is a boot-start filesystem component that intercepts and modifies executable code as it’s read\r\nfrom disk. Although a driver of this age will not run on Windows 7 or later, for its time fast16.sys was a cut\r\nabove commodity rootkits thanks to its position in the storage stack, control over filesystem I/O, and rule-based\r\ncode patching functionality.\r\nIn April 2017, almost 12 years after the compilation timestamp, the same filename, “fast16” appeared in the\r\nShadowBrokers leak. Dr. Boldizsár Bencsáth’s research into Territorial Dispute points to a text file,\r\ndrv_list.txt . The 250KB file is a short list of driver names used to mark potential implants cyber operators\r\nmight encounter on a target box as “friendly” or to “pull back” in order to avoid clashes with competing nation-state hacking operations.\r\nScreenshot from Crysys Lab’s ShadowBrokers leak analysis paper\r\nThe guidance for one particular driver, ‘fast16’, stands out as both unique and particularly unusual.\r\nThe string inside svcmgmt.exe provided the key forensic link in this investigation. The pdb path connects the\r\n2017 leak of deconfliction signatures used by NSA operators with a multi-modal Lua‑powered ‘carrier’ module\r\ncompiled in 2005, and ultimately its stealthy payload: a kernel driver designed for precision sabotage.\r\nsvcmgmt.exe | Architecture of the Carrier\r\nThe core component of fast16, svcmgmt.exe , functions as a highly adaptable carrier module, changing its\r\noperational mode based on command-line arguments.\r\nNo arguments: Runs as a Windows service.\r\n-p : Sets InstallFlag = 1 and runs as a service (Propagate/Install \u0026 Run).\r\n-i : Sets InstallFlag = 1 and executes Lua code (Install \u0026 Execute Lua).\r\n-r : Executes Lua code without setting the install flag (Execute Lua).\r\nAny other argument ( \u003cfilename\u003e ): Interprets as a filename, and spawns two children: the original\r\ncommand and one with the -r argument (Wrapper/Proxy Mode).\r\nhttps://www.sentinelone.com/labs/fast16-mystery-shadowbrokers-reference-reveals-high-precision-software-sabotage-5-years-before-stuxnet/\r\nPage 3 of 20\n\nInternally, svcmgmt.exe stores three distinct payloads, including encrypted Lua bytecode that handles\r\nconfiguration, its propagation and coordination logic, auxiliary ConnotifyDLL , and the fast16.sys kernel\r\ndriver.\r\nComposition of the Carrier payload\r\nBy separating a relatively stable execution wrapper from encrypted, task-specific payloads, the developers created\r\na reusable, compartmentalized framework that they could adapt to different target environments and operational\r\nobjectives while leaving the outer carrier binary largely unchanged across campaigns.\r\nThe Wormlets and Early Evasion Architecture\r\nThe early 2000s saw a large number of network worms. Most were written by enthusiasts, spread quickly, and\r\ncarried little or no meaningful payload. fast16 originates from the same period but follows a completely different\r\npattern indicative of its provenance as state-level tooling. It’s the first recorded Lua-based network worm, and was\r\nbuilt with a highly specific mission.\r\nThe carrier was designed to act like cluster munition in software form, able to carry multiple wormable payloads,\r\nreferred to internally as ‘wormlets’. The svcmgmt.exe module performs the following steps:\r\n1. Prepares the configuration, defining the payload path, service details, and target IP ranges.\r\n2. Converts the configuration values to wide-character strings for the C layer.\r\n3. Escalates privileges and installs the carrier executable as the SvcMgmt service, then starts it.\r\n4. Optionally, based on the configuration setting, deploy the kernel driver implant fast16.sys .\r\n5. Releases the wormlets. In this particular configuration, only one wormlet slot is populated with an SCM\r\nwormlet that looks for network servers, copies the payload over a network share and starts that remote\r\nservice.\r\n6. Repeats the process indefinitely, sleeping for the configured initial delay between waves, until a failure\r\nthreshold or external kill condition is reached.\r\nhttps://www.sentinelone.com/labs/fast16-mystery-shadowbrokers-reference-reveals-high-precision-software-sabotage-5-years-before-stuxnet/\r\nPage 4 of 20\n\nThe wormlets were stored in the carrier’s internal storage:\r\nStructure of the internal storage\r\nThe single deployed wormlet found in svcmgmt.exe (the SCM wormlet) exemplifies a simple but effective\r\npropagation strategy based on native Windows capabilities and weak network security. It targets Windows\r\n2000/XP environments and relies on default or weak administrative passwords on file shares. All spreading is\r\ndone through standard Windows service-control and file-sharing APIs, an early example of propagation that leans\r\non built-in administration features rather than custom network protocols.\r\nBefore this workflow runs, a pre-installation kill-switch checks the environment. The ok_to_install() routine\r\ncalls ok_to_propagate() and propagation is only allowed if it’s manually forced or if it’s made sure common\r\nsecurity products aren’t found by checking for associated registry keys. The routine walks a list of vendor keys\r\nand aborts installation if any of them are present, preventing deployment into monitored environments.\r\nFor tooling of this age, that level of environmental awareness is notable. While the list of products may not seem\r\ncomprehensive, it likely reflects the products the operators expected to be present in their target networks whose\r\ndetection technology would threaten the stealthiness of a covert operation:\r\nHKLM\\SOFTWARE\\Symantec\\InstalledApps\r\nHKLM\\SOFTWARE\\Sygate Technologies, Inc.\\Sygate Personal Firewall\r\nHKLM\\SOFTWARE\\TrendMicro\\PFW\r\nHKLM\\SOFTWARE\\Zone Labs\\TrueVector\r\nHKLM\\SOFTWARE\\F-Secure\r\nHKLM\\SOFTWARE\\Network Ice\\BlackIce\r\nHKLM\\SOFTWARE\\McAfee.com\\Personal Firewall\r\nHKLM\\SOFTWARE\\ComputerAssociates\\eTrust EZ Armor\r\nHKLM\\SOFTWARE\\RedCannon\\Fireball\r\nHKLM\\SOFTWARE\\Kerio\\Personal Firewall 4\r\nhttps://www.sentinelone.com/labs/fast16-mystery-shadowbrokers-reference-reveals-high-precision-software-sabotage-5-years-before-stuxnet/\r\nPage 5 of 20\n\nHKLM\\SOFTWARE\\KasperskyLab\\InstalledProducts\\Kaspersky Anti-Hacker\r\nHKLM\\SOFTWARE\\Tiny Software\\Tiny Firewall\r\nHKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Look n Stop 2.05p2\r\nHKCU\\SOFTWARE\\Soft4Ever\r\nHKLM\\SOFTWARE\\Norman Data Defense Systems\r\nHKLM\\SOFTWARE\\Agnitum\\Outpost Firewall\r\nHKLM\\SOFTWARE\\Panda Software\\Firewall\r\nHKLM\\SOFTWARE\\InfoTeCS\\TermiNET\r\nA separate user-mode component, svcmgmt.dll , provides a minimal reporting channel. Contained within the\r\ncarrier’s internal storage, this DLL is registered through the Windows AddConnectNotify() API so that it’s called\r\neach time the system establishes a new network connection using the Remote Access Service (RAS), responsible\r\nfor dial-up connections and early VPNs in the 2000s.\r\nModule Name User Module (connotifydll)\r\nFilename svcmgmt.dll\r\nFilesize 45056 bytes\r\nMD5 410eddfc19de44249897986ecc8ac449\r\nSHA256 8fcb4d3d4df61719ee3da98241393779290e0efcd88a49e363e2a2dfbc04dae9\r\nLink Time 2005-06-06 18:42:45 UTC\r\nType PE32 DLL (i386, 4 sections)\r\nWhen invoked, the DLL decodes an obfuscated string to obtain the named pipe \\\\.\\pipe\\p577 , attempts to\r\nconnect to the local pipe, and writes the remote and local connection names to the pipe before closing it. The\r\nmodule doesn’t run independently and must be registered by a host process.\r\nfast16.sys | A Filesystem Driver for Precision Sabotage\r\nThe kernel driver fast16.sys is the most potent component of the framework.\r\nThe driver is configured with Start=0 (boot) and Type=2 (filesystem driver) in the SCSI class group. It loads\r\nautomatically at an early stage, alongside disk device drivers, and inserts itself above each filesystem device\r\n(NTFS, FAT, MRxSMB). On entry it:\r\ndisables the Windows Prefetcher by setting the EnablePrefetcher value to 0 under the Session Manager’s\r\nPrefetchParameters key, forcing subsequent code‑page requests through the full filesystem stack,\r\nresolves kernel APIs dynamically using a simple XOR‑based string cipher and a scan of ntoskrnl.exe ,\r\nand\r\nexposes \\Device\\fast16 and \\??\\fast16 with a custom DeviceType value 0xA57C, which serves as a\r\nsecondary forensic marker.\r\nhttps://www.sentinelone.com/labs/fast16-mystery-shadowbrokers-reference-reveals-high-precision-software-sabotage-5-years-before-stuxnet/\r\nPage 6 of 20\n\nThe driver registers with IoRegisterFsRegistrationChange so it can attach a worker device object on top of\r\nevery active and newly created filesystem device. All relevant I/O Request Packets, including IRP_MJ_CREATE ,\r\nIRP_MJ_READ , IRP_MJ_CLOSE , IRP_MJ_QUERY_INFORMATION , IRP_MJ_FILE_SYSTEM_CONTROL , and associated\r\nFast I/O paths, are routed through these worker devices.\r\nDespite loading at boot, the kernel‑level code injection engine is only activated after the system opens\r\nexplorer.exe . This design defers expensive monitoring and patching until the desktop environment is available\r\nand avoids unnecessary impact on core boot performance.\r\nNarrow Targeting via Intel Compiler Artefacts\r\nOnce activated, fast16.sys focuses on executable files. A file is a valid target if it meets two criteria:\r\n1. The filename ends with .EXE .\r\n2. Immediately after the last PE section header, there is a printable ASCII string starting with Intel .\r\nThis selection logic points to executables compiled with the Intel C/C++ compiler, which often placed compiler\r\nmetadata in that region. It indicates that the developers knew their target software was built with this toolchain.\r\nFor files meeting these criteria, the driver performs a PE header modification in memory. It injects two additional\r\nsections, .xdata and .pdata , and fills them with bytes from the original code section, increasing the section\r\ncount and keeping a clean copy of the code. The intent is likely to increase stability while still allowing extensive\r\npatching, although without identifying the original target binaries this remains an informed hypothesis.\r\nRule‑Driven Patching and Floating‑Point Corruption\r\nThe patching engine is a minimalist, performance‑optimised, stateful scanning and modification tool. It is\r\nconfigured with a set of 101 rules, each containing pattern matching and replacement logic. To maintain\r\nperformance, the engine:\r\nuses a 256‑byte dispatch array and only flags the starting byte values of a small number of unique patterns,\r\nallows wildcards inside patterns so a single rule can match several compiler‑optimised variants of the same\r\ncode, and\r\nsupports state flags that some rules can set or check, enabling multi‑stage modification sequences similar to\r\nthose used by advanced antivirus scanning engines.\r\nMost patched patterns correspond to standard x86 code used for hijacking or influencing execution flow. One\r\ninjected block is different. It’s a larger and complex sequence of Floating Point Unit instructions dedicated to\r\nprecision arithmetic and scaling values in internal arrays. This code is a standalone mathematical calculation\r\nfunction unrelated to code flow hijacking or any other typical malicious code injection.\r\nTo understand what the driver expected to see, we converted the patching rules into hexadecimal YARA signatures\r\nand ran them against a large, period‑appropriate corpus. The results showed a very low hit rate: fewer than ten\r\nfiles matched two or more patterns. Those matches, however, shared a clear theme. They were precision\r\ncalculation tools in specialised domains such as civil engineering, physics and physical process simulations.\r\nhttps://www.sentinelone.com/labs/fast16-mystery-shadowbrokers-reference-reveals-high-precision-software-sabotage-5-years-before-stuxnet/\r\nPage 7 of 20\n\nThe FPU patch in fast16.sys was written to corrupt these routines in a controlled way, producing alternative\r\noutputs. This moves fast16 out of the realm of generic espionage tooling and into the category of strategic\r\nsabotage. By introducing small but systematic errors into physical‑world calculations, the framework could\r\nundermine or slow scientific research programs, degrade engineered systems over time or even contribute to\r\ncatastrophic damage.\r\nA sabotage operation of this kind would be foiled by verifying calculations on a separate system. In an\r\nenvironment where multiple systems shared the same network and security posture, the wormable carrier would\r\ndeploy the malicious driver module to those systems as well, reducing the chance that an independent calculation\r\nwould diverge from the corrupted output.\r\nAt this time, we’ve been unable to identify all of the target binaries in order to understand the nature of the\r\nintended sabotage. We welcome the contributions of the larger infosec research community and have included\r\nYARA rules to hunt for these patterns in the appendix below.\r\nThe Data Patching Engine\r\nEven after deep analysis, fast16’s driver looks deceptively simple. Beneath that minimal code is a rule-driven in-memory engine that quietly patches executable code as files are read from disk.\r\nThe engine relies on a compact set of just over a hundred pattern-matching rules and a small dispatch table so it\r\nonly inspects bytes that are likely to matter. Most patterns correspond to ordinary x86 instructions, but one stands\r\nout: a larger block of floating-point (FPU) code dedicated to precision arithmetic. This injected routine scales\r\nvalues in three internal arrays passed into the function, subtly changing calculations.\r\nInjected FPU-based calculations\r\nWithout knowing the exact binaries and workloads being patched, we can’t fully resolve what those arrays\r\nrepresent, only that the goal is to tamper with numerical results, not unauthorized access, malware propagation or\r\nother common malware objectives.\r\nThe Patch Targets\r\nhttps://www.sentinelone.com/labs/fast16-mystery-shadowbrokers-reference-reveals-high-precision-software-sabotage-5-years-before-stuxnet/\r\nPage 8 of 20\n\nOur best clues about the intended victims come from matching these patterns against large, era-appropriate\r\nsoftware corpora. The strongest overlaps point to three high-precision engineering and simulation suites from the\r\nmid-2000s: LS-DYNA 970, PKPM, and the MOHID hydrodynamic modeling platform, all used for scenarios like\r\ncrash testing, structural analysis, and environmental modeling.\r\nLS-DYNA in particular has been cited in public reporting on Iran’s suspected violations of Section T of the\r\nJCPOA, in studies of computer modeling relevant to nuclear weapons development.\r\nUse of LS-DYNA code to research explosive payloads for Iran’s AMAD program\r\nCompiler Footprints and Lineage\r\nAs we sought to understand the lineage of this unusual set of components, we noticed a quirk. Strings of the form\r\n@(#)par.h $Revision: 1.3 $ inside the binaries point to an unusual source‑control convention. The @(#)\r\nprefix is characteristic of early Unix Source Code Control System (SCCS) or Revision Control System (RCS)\r\ntooling from the 1970s and 1980s. These markers do not affect execution and are redundant in modern Windows\r\nkernel drivers.\r\nFinding SCCS/RCS artefacts in mid‑2000s Windows code is rare. It strongly suggests that the authors of this\r\nframework were not typical Windows‑only developers. Instead, they appear to have been long‑term engineers\r\nwhose culture and toolchain came from older, high‑security Unix environments, often associated with government\r\nor military‑grade work. This detail supports the view that fast16 came from a well‑resourced, long‑running\r\ndevelopment program.\r\nhttps://www.sentinelone.com/labs/fast16-mystery-shadowbrokers-reference-reveals-high-precision-software-sabotage-5-years-before-stuxnet/\r\nPage 9 of 20\n\nA Digital Fossil with Modern Implications\r\nsvcmgmt.exe was uploaded to VirusTotal nearly a decade ago. It still receives almost no detections: one engine\r\nclassifies it as generally malicious, and even that with limited confidence. For a stealthy self-propagating carrier\r\nthat deploys one of the most sophisticated sabotage drivers of its era, that detection record is notable.\r\nTogether with its appearance in the ShadowBrokers ‘Territorial Dispute’ (TeDi) signatures, fast16 forces a\r\nre‑evaluation of our historical understanding of the timeline of development for serious covert cyber sabotage\r\noperations. The code shows that:\r\nstate‑grade cybersabotage against physical targets was fully developed and deployed by the mid‑2000s,\r\nembedded scripting engines, narrow compiler‑based targeting and kernel‑level patching formed a coherent\r\narchitecture well ahead of better‑known families, and\r\nsome of the most important offensive capabilities in the ecosystem may still sit in collections as ‘old but\r\ninteresting’ samples lacking the context to highlight their true significance.\r\nInternally, the operation leaves very little in the way of branding. One of the few human‑readable labels is wry and\r\nunderstated:\r\n*** Nothing to see here – carry on ***\r\nFor many years there were no public write-ups, no named campaign and no headline incident linked to this\r\nframework.\r\nIn the broader picture of APT evolution, fast16 bridges the gap between early, largely invisible development\r\nprograms and later, more widely documented Lua‑ and LuaJIT‑based toolkits. It is a reference point for\r\nunderstanding how advanced actors think about long‑term implants, sabotage, and a state’s ability to reshape the\r\nphysical world through software. fast16 was the silent harbinger of a new form of statecraft, successful in its\r\ncovertness until today.\r\nAcknowledgements\r\nSentinelLABS would like to thank Silas Cutler and Costin Raiu for their contributions along the way. We dedicate\r\nthis research to the memory of Sergey Mineev, APT hunter extraordinaire, who pioneered many of the techniques\r\nthat enabled this discovery.\r\nAppendix: Patching Engine Patterns and Target Candidates\r\nExtracted Match Patterns\r\n48 89 84 24 9C 00 00 00 4B 0F 8F 79 FF FF FF 00\r\nD8 E1 D9 5D FC D9 04 00\r\n55 8B EC 83 EC 14 53 56 57 8B 3D ?? ?? ?? ?? 8B 0D 00\r\n89 4D C8 8B FB 8B C8 00\r\nhttps://www.sentinelone.com/labs/fast16-mystery-shadowbrokers-reference-reveals-high-precision-software-sabotage-5-years-before-stuxnet/\r\nPage 10 of 20\n\n8B 4C 24 0C 8B 01 83 F8 63 00\r\n39 2D ?? ?? ?? ?? 0F 84 F4 00 00 00 8B 35 ?? ?? ?? ?? 2B 35\r\n7C 02 89 C6 89 35 ?? ?? ?? ?? 89 B4 24 D0\r\n83 3D ?? ?? ?? ?? 00 0F 84 70 BD FF FF 00\r\nBE 07 00 00 00 BF 04 00 00 00 BB 02 00 00 00 00\r\n8B 4D 10 C1 E2 04 8B 19 83 EA 30 8B CB 49\r\n8D 1D ?? ?? ?? ?? 52 8D 05 ?? ?? ?? ?? 51 8D 15 ?? ?? ?? ?? 8D 0D ?? ?? ?? ?? 53 50 52 51 56 57 E8 ??\r\n0F 8F A5 00 00 00 A1 ?? ?? ?? ?? 83 F8 14 7D 0D\r\n8B 5D B0 0F 85 ?? ?? ?? ?? 8D 34 9D ?? ?? ?? ?? 8D 14 9D 00 0F 8E 1B 03 00 00 D9 05\r\n8B 45 44 6B 00 04 D9 05 ?? ?? ?? ?? D8 B0\r\nE9 7E 04 00 00 8B 74 24 1C 8B 54 24 14 85\r\n83 39 63 0F 85 21 03 00 00 8B EE 85 F6 0F\r\n85 DB 8B 55 D4 75 2C 89 35 00\r\n75 18 8D 35 ?? ?? ?? ?? 56 8D 3D 00\r\n8D 1D ?? ?? ?? ?? 52 8D 05 ?? ?? ?? ?? 51 8D 15 ?? ?? ?? ?? 8D 0D ?? ?? ?? ?? 53 50 52 51 56 57 E8 ??\r\nD8 34 85 ?? ?? ?? ?? 8B 44 ?? ?? 8B CA 00\r\n8B 5D 0C 8B 55 08 8B 36 8B 00\r\n8D 04 BD ?? ?? ?? ?? 03 DF 00\r\n8B EE 85 F6 0F 8E ?? ?? ?? ?? 8D 1C BD 00\r\nD9 04 9D ?? ?? ?? ?? 83 ED 04 05 10 00 00 00 D8 0D 00\r\n75 2C 89 35 ?? ?? ?? ?? 89 05 ?? ?? ?? ?? 89 15\r\n89 55 F4 8B F9 8B D3 03 FB C1 E2 02 89 35\r\n40 23 72 65 63 24 65 69 69 6E 20 2E 30 24 D9 5D 00 D9 03 D8 0D ?? ?? ?? ?? D8 0D 00\r\nDF E0 F6 C4 41 A1 ?? ?? ?? ?? 74 5A\r\nFF 35 ?? ?? ?? ?? E8 ?? ?? ?? ?? 9D D9 E0 D9 1D ?? ?? ?? ?? 8B 4C\r\n6A 46 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 6A 03\r\nD8 05 ?? ?? ?? ?? D9 55 00 9C\r\nC2 08 00 A1 ?? ?? ?? ?? 8B 0C 85 ?? ?? ?? ?? 89 0E 00\r\n83 EC 04 53 E8 ?? ?? ?? ?? EB 09 83 EC 04 53 00\r\nD8 1D ?? ?? ?? ?? DF E0 F6 C4 41 B8 00 00 00 00 75 05 B8 01 00 00 00 85 C0 74 11 6A 29 00\r\n2B DA 89 3C 03 83 3D 00\r\nD9 5D C0 8B 4D C0 D9 45 E0 89 0E 00\r\n8B 05 ?? ?? ?? ?? 8B 0D ?? ?? ?? ?? 0F 85 7E 00 00 00 0F AF 15 00\r\nB9 01 00 00 00 C1 E7 02 8B BF ?? ?? ?? ?? 8B D7 85 FF 8B 55 30 8B 45 30 D8 C9 8B 75 2C 00 9A 8B 00 00\r\n2B FB 8B DE C1 E3 02 89 7D A0 03 5D A0 8B 03 F7 F7 DB 0C 02 89 35\r\n0F 0F 94 C0 23 C3 33 D2\r\n8B 55 30 8B 75 2C D8 C9 8B 45 30 00\r\nDD 05 ?? ?? ?? ?? 8B 05 ?? ?? ?? ?? 8B 15 ?? ?? ?? ?? 0F AF 05 ?? ?? ?? ?? 8B 1D ?? ?? ?? ?? 0F AF 15\r\n68 28 00 00 00 57 E8 ?? ?? ?? ?? 8B 1D ?? ?? ?? ?? 8B 35 ?? ?? ?? ?? 0F AF 1D ?? ?? ?? ?? 8B 3D ?? ??\r\n8B 75 38 8B 4D 34 D8 C9 8B 00\r\n8B 55 88 8B 5D B0 83 7D 84 01\r\n55 8B EC 83 EC 2C 33 D2 53 56 57 8B\r\n55 8B EC 83 EC 2C B9 46 00 00 00 53 56 57 8B 00\r\nPatch Target Candidate 1: LS-DYNA 970 Software Suite\r\nhttps://www.sentinelone.com/labs/fast16-mystery-shadowbrokers-reference-reveals-high-precision-software-sabotage-5-years-before-stuxnet/\r\nPage 11 of 20\n\nThe LS-DYNA suite is powerful engineering simulation software used to analyze how materials and structures\r\nbehave under extreme conditions. The tool is used by engineers to simulate physical events and model conditions\r\nwhile avoiding expensive or dangerous experiments.\r\nLS-DYNA is designed for handling dynamic, complex events that occur at speed, such as car crashes, explosions,\r\nimpacts, metal forming, and manufacturing processes. It was commonly used by automotive companies, aerospace\r\nengineering, defense and military research, as well as manufacturing and materials science applications. LS-DYNA has been in development since 1976.\r\nMD5 1d2f32c57ae2f2013f513d342925e972\r\nSHA1 2fa28ef1c6744bdc2021abd4048eefc777dccf22\r\nSHA256 5966513a12a5601b262c4ee4d3e32091feb05b666951d06431c30a8cece83010\r\nFile Size 5,225,591 bytes\r\nLink time 2003-10-24 16:34:57 UTC\r\nFile Type PE32 executable for MS Windows 4.00 (console), Intel i386, 7 sections\r\nPatch Target Candidate 2: PKPM Software Suite\r\nPractical Structural Design and Construction Software (PKPM) is a structural engineering CAD software suite\r\nwidely used in China for building design. The suite comprises multiple executable modules covering the full\r\nlifecycle of structural building design, from structural layout and concrete shear design for beams and columns to\r\nseismic, wind, and load analysis for high-rise buildings.\r\nPKPM’s core analysis engine, SATWE (Space Analysis of Tridimensional Wired Elements), handles\r\ntridimensional structural analysis across floors, beams, columns, walls, and frames. PKPM sees extensive use in\r\nChinese civil engineering.\r\nPKPM Concrete Code Shear Design Module\r\nMD5 af4461a149bfd2ba566f2abefe7dcde4\r\nSHA1 586edef41c3b3fba87bf0f0346c7e402f86fc11e\r\nSHA256 09ca719e06a526f70aadf34fb66b136ed20f923776e6b33a33a9059ef674da22\r\nFile Size 7716864 bytes\r\nFile Type PE32 executable for MS Windows 4.00 (GUI), Intel i386, 6 sections\r\nLink Time 2011-08-26 10:58:17 UTC\r\nPKPM Building Structure CAD Modules\r\nhttps://www.sentinelone.com/labs/fast16-mystery-shadowbrokers-reference-reveals-high-precision-software-sabotage-5-years-before-stuxnet/\r\nPage 12 of 20\n\nMD5 49a8934ccd34e2aaae6ea1e6a6313ffe\r\nSHA1 3ce5b358c2ddd116ac9582efbb38354809999cb5\r\nSHA256 8b018452fdd64c346af4d97da420681e2e0b55b8c9ce2b8de75e330993b759a0\r\nFile Size 11849728 bytes\r\nFile Type PE32 executable for MS Windows 4.00 (GUI), Intel i386, 4 sections\r\nLink Time 2005-12-01 08:35:46 UTC\r\nMD5 e0c10106626711f287ff91c0d6314407\r\nSHA1 650fc6b3e4f62ecdc1ec5728f36bb46ba0f74d05\r\nSHA256 06361562cc53d759fb5a4c2b7aac348e4d23fe59be3b2871b14678365283ca47\r\nFile Size 16355328 bytes\r\nFile Type PE32 executable for MS Windows 4.00 (GUI), Intel i386, 5 sections\r\nLink Time 2012-07-07 08:47:11 UTC\r\nPKPM SATWE Structural Analysis Engine\r\nMD5 2717b58246237b35d44ef2e49712d3a2\r\nSHA1 d475ace24b9aedebf431efc68f9db32d5ae761bd\r\nSHA256 bd04715c5c43c862c38a4ad6c2167ad082a352881e04a35117af9bbfad8e5613\r\nFile Size 9908224 bytes\r\nFile Type PE32 executable for MS Windows 4.00 (GUI), Intel i386, 6 sections\r\nLink Time 2011-01-12 06:37:39 UTC\r\nMD5 daea40562458fc7ae1adb812137d3d05\r\nSHA1 1ce1111702b765f5c4d09315ff1f0d914f7e5c70\r\nSHA256 da2b170994031477091be89c8835ff9db1a5304f3f2f25344654f44d0430ced1\r\nFile Size 8454144 bytes\r\nFile Type PE32 executable for MS Windows 4.00 (GUI), Intel i386, 7 sections\r\nLink Time 2012-11-29 03:10:12 UTC\r\nMD5 2740a703859cbd8b43425d4a2cacb5ec\r\nhttps://www.sentinelone.com/labs/fast16-mystery-shadowbrokers-reference-reveals-high-precision-software-sabotage-5-years-before-stuxnet/\r\nPage 13 of 20\n\nSHA1 ca665b59bc590292f94c23e04fa458f90d7b20c9\r\nSHA256 aeaa389453f04a9e79ff6c8b7b66db7b65d4aaffc6cac0bd7957257a30468e33\r\nFile Size 16568320 bytes\r\nFile Type PE32 executable for MS Windows 4.00 (GUI), Intel i386, 5 sections\r\nLink Time 2014-12-30 03:23:43 UTC\r\nMD5 ebff5b7d4c5becb8715009df596c5a91\r\nSHA1 829f8be65dfe159d2b0dc7ee7a61a017acb54b7b\r\nSHA256 37414d9ca87a132ec5081f3e7590d04498237746f9a7479c6b443accee17a062\r\nFile Size 8089600 bytes\r\nFile Type PE32 executable for MS Windows 4.00 (GUI), Intel i386, 6 sections\r\nLink Time 2009-04-22 01:46:46 UTC\r\nMD5 cb66a4d52a30bfcd980fe50e7e3f73f0\r\nSHA1 e6018cd482c012de8b69c64dc3165337bc121b86\r\nSHA256 66fe485f29a6405265756aaf7f822b9ceb56e108afabd414ee222ee9657dd7e2\r\nFile Size 9219072 bytes\r\nFile Type PE32 executable for MS Windows 4.00 (GUI), Intel i386, 8 sections\r\nLink Time N/A\r\nAdditional PKPM CAD files\r\nMD5 075b4aa105e728f2b659723e3f36c72c\r\nSHA1 145ef372c3e9c352eaaa53bb0893749163e49892\r\nSHA256 c11a210cb98095422d0d33cbd4e9ecc86b95024f956ede812e17c97e79591cfa\r\nFile Size 6852608 bytes\r\nFile Type PE32 executable for MS Windows 4.00 (GUI), Intel i386, 6 sections\r\nLink Time 2012-06-18 10:01:54 UTC\r\nMD5 cf859f164870d113608a843e4a9600ab\r\nSHA1 952ed694b60c34ba12df9d392269eae3a4f11be4\r\nhttps://www.sentinelone.com/labs/fast16-mystery-shadowbrokers-reference-reveals-high-precision-software-sabotage-5-years-before-stuxnet/\r\nPage 14 of 20\n\nSHA256 7e00030a35504de5c0d16020aa40cbaf5d36561e0716feb8f73235579a7b0909\r\nFile Size 8392704 bytes\r\nFile Type PE32 executable for MS Windows 4.00 (GUI), Intel i386, 6 sections\r\nLink Time 2012-11-29 03:10:12 UTC\r\nCandidate 3: MOHID Software Suite\r\nModelo Hidrodinâmico (Portuguese for “Hydrodynamic Model” or MOHID) is an open-source water modeling\r\nsystem developed by MARETEC (Marine and Environmental Technology Research Center) at the Instituto\r\nSuperior Técnico in Lisbon, Portugal. The software is used for marine and coastal water modeling, covering\r\nhydrodynamics, water quality simulation, sediment transport, oil spill modeling, and Lagrangian particle tracking.\r\nAt this time, we cannot definitively identify the target and welcome contributions from the broader research\r\ncommunity to aid understanding of the intended effects of attacking this software.\r\nMD5 f4dbbb78979c1ee8a1523c77065e18a5\r\nSHA1 9e089a733fb2740c0e408b2a25d8f5a451584cf6\r\nSHA256 e775049d1ecf68dee870f1a5c36b2f3542d1182782eb497b8ccfd2309c400b3a\r\nFile Size 5443584 bytes\r\nFile Type PE32 executable for MS Windows 4.00 (console), Intel i386, 3 sections\r\nLink Time 2002-10-18 09:29:54 UTC\r\nIndicators of Compromise\r\nName fast16.sys\r\nMD5 0ff6abe0252d4f37a196a1231fae5f26\r\nSHA1 92e9dcaf7249110047ef121b7586c81d4b8cb4e5\r\nSHA256 07c69fc33271cf5a2ce03ac1fed7a3b16357aec093c5bf9ef61fbfa4348d0529\r\nName connotify.dll\r\nMD5 410eddfc19de44249897986ecc8ac449\r\nSHA1 675cb83cec5f25ebbe8d9f90dea3d836fcb1c234\r\nSHA256 8fcb4d3d4df61719ee3da98241393779290e0efcd88a49e363e2a2dfbc04dae9\r\nName svcmgmt.exe\r\nhttps://www.sentinelone.com/labs/fast16-mystery-shadowbrokers-reference-reveals-high-precision-software-sabotage-5-years-before-stuxnet/\r\nPage 15 of 20\n\nMD5 dbe51eabebf9d4ef9581ef99844a2944\r\nSHA1 de584703c78a60a56028f9834086facd1401b355\r\nSHA256 9a10e1faa86a5d39417cae44da5adf38824dfb9a16432e34df766aa1dc9e3525\r\nYARA Rules\r\nimport \"pe\"\r\nrule apt_fast16_carrier {\r\n meta:\r\n author = \"SentinelLABS/vk\"\r\n date = \"2025-04-07\"\r\n description = \"Catches fast16 carrier, its Lua payload, and plaintext variants\"\r\n hash = \"9a10e1faa86a5d39417cae44da5adf38824dfb9a16432e34df766aa1dc9e3525\"\r\n strings:\r\n $lua_magic = { 1B 4C 75 61 }\r\n \r\n $s1 = \"build_wormlet_table\"\r\n $s2 = \"unpropagate\"\r\n $s3 = \"worm_install_failure_action\"\r\n $s4 = \"implant_install_failure_action\"\r\n $s5 = \"scm_wormlet_propagate_system\"\r\n $s6 = \"scm_wormlet_install\"\r\n $s7 = \"scm_wormlet_init\"\r\n $s8 = \"scm_copy_payload\"\r\n $s9 = \"get_logged_on_user\"\r\n $s10 = \"logged_on_program\"\r\n $s11 = \"phase_1_prop_delay\"\r\n $s12 = \"connotify_pipename\"\r\n $s13 = \"cndll_internal_name\"\r\n $s14 = \"connotify_provider_key\"\r\n $s15 = \"check_implant_reg_values\"\r\n $s16 = \"set_implant_reg_values\"\r\n $s17 = \"install_implant\"\r\n $s18 = \"implant_installed\"\r\n $s19 = \"implant_internal_name\"\r\n $s20 = \"implant_files\"\r\n $s21 = \"implant_owner\"\r\n $s22 = \"install_worm\"\r\n $s23 = \"start_worm\"\r\n $s24 = \"implant_install_failure_action\"\r\n $s25 = \"worm_install_failure_action\"\r\n $s26 = \"ok_to_propagate\"\r\nhttps://www.sentinelone.com/labs/fast16-mystery-shadowbrokers-reference-reveals-high-precision-software-sabotage-5-years-before-stuxnet/\r\nPage 16 of 20\n\n$s27 = \"no_firewall_check\"\r\n $s28 = \"scm_wormlet\"\r\n $s29 = \"implant_install_failure_action\"\r\n $s30 = \"worm_install_failure_action\"\r\n \r\n $e1 = { 98 18 A1 94 24 E3 A2 4C 61 C8 AE 04 DC 4E 03 CD 0D 9D F0 }\r\n $e2 = { E8 76 53 6D D4 B9 6E 28 6C 5D C2 }\r\n $e3 = { 7D B7 14 73 F0 C0 4D 53 BB F7 0A 4A 3A 63 05 92 EC 0A 11 BC 22 59 99 05 72 05 19 }\r\n $e4 = { 88 5F 1B E4 45 56 75 4B A5 3D 19 0B 3F 30 5A 85 E2 BD D0 E7 1C 13 D0 1D BD D8 CF A\r\n $e5 = { 88 1E 54 4E 00 C1 EF 79 AA AD 9F 50 27 B5 B8 4C 32 06 D2 7B 32 E3 AF D6 DC D2 BB 8\r\n $e6 = { 39 F9 BC E9 27 70 C4 3E 04 2A 7D E1 68 67 B7 ED D4 41 6A }\r\n $e7 = { 13 FC 24 20 1F 20 74 1B E5 5F 59 56 D7 61 3E BD }\r\n $e8 = { EF 94 49 63 33 41 62 F2 26 A6 48 DE 6D 7B A4 CF }\r\n $e9 = { 36 5F 5E E5 C1 1A 17 6A 4E B9 94 52 1B DC C6 60 CA C7 }\r\n $e10 = { B3 9C A3 F1 12 CC 52 74 34 5F 87 43 32 21 36 7B 2A }\r\n $rk1 = \"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Symantec\\\\InstalledApps\"\r\n $rk2 = \"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Sygate Technologies, Inc.\\\\Sygate Personal Firewall\"\r\n $rk3 = \"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\TrendMicro\\\\PFW\"\r\n $rk4 = \"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Zone Labs\\\\TrueVector\"\r\n $rk5 = \"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\F-Secure\"\r\n $rk6 = \"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Network Ice\\\\BlackIce\"\r\n $rk7 = \"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\McAfee.com\\\\Personal Firewall\"\r\n $rk8 = \"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\ComputerAssociates\\\\eTrust EZ Armor\"\r\n $rk9 = \"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\RedCannon\\\\Fireball\"\r\n $rk10 = \"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Kerio\\\\Personal Firewall 4\"\r\n $rk11 = \"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\KasperskyLab\\\\InstalledProducts\\\\Kaspersky Anti-Hacke\r\n $rk12 = \"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Tiny Software\\\\Tiny Firewall\"\r\n $rk13 = \"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Uninstall\\\\Look n\r\n $rk14 = \"HKEY_CURRENT_USER\\\\SOFTWARE\\\\Soft4Ever\"\r\n $rk15 = \"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Norman Data Defense Systems\"\r\n $rk16 = \"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Agnitum\\\\Outpost Firewall\"\r\n $rk17 = \"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Panda Software\\\\Firewall\"\r\n $rk18 = \"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\InfoTeCS\\\\TermiNET\"\r\n $c1 = { 86 3A D6 02 }\r\n $c2 = { 01 E1 F5 05 }\r\n $code1 = { 8B 00\r\n 2D 2F 34 21 33\r\n }\r\n $stor1 = { CC 00 00 00 05 00 00 00 66 69 6C 65 00 CD 00 00 00 }\r\n condition:\r\n ( uint16(0)==0x5a4d and filesize \u003c 10MB and (\r\n ( 3 of ($s*) ) or\r\nhttps://www.sentinelone.com/labs/fast16-mystery-shadowbrokers-reference-reveals-high-precision-software-sabotage-5-years-before-stuxnet/\r\nPage 17 of 20\n\n( 12 of ($rk*) ) or\r\n ( any of ($e*) ) or\r\n ( all of ($c*) and @c2-@c1 \u003c 0x100 ) or\r\n ( $code1 ) or\r\n ( $stor1 )) ) or\r\n ( $lua_magic and 7 of ($s*) )\r\n}\r\nrule apt_fast16_driver {\r\n meta:\r\n author = \"SentinelLABS/vk\"\r\n last_modified = \"2026-04-15\"\r\n description = \"Catches fast16 driver or related project files\"\r\n hash = \"07c69fc33271cf5a2ce03ac1fed7a3b16357aec093c5bf9ef61fbfa4348d0529\"\r\n strings:\r\n $a1 = \"@(#)foo.c : \"\r\n $a2 = \"@(#)par.h : \"\r\n $a3 = \"@(#)pae.h : \"\r\n $a4 = \"@(#)fao.h : \"\r\n $a5 = \"@(#)uis.h : \"\r\n $a6 = \"@(#)ree.h : \"\r\n $a7 = \"@(#)fir.h : \"\r\n $a8 = \"@(#)fir.c : \"\r\n $a9 = \"@(#)par.h : \"\r\n $a10 = \"@(#)pae.h : \"\r\n $a11 = \"@(#)fao.h : \"\r\n $a12 = \"@(#)uis.h : \"\r\n $a13 = \"@(#)ree.h : \"\r\n $a14 = \"@(#)fir.h : \"\r\n $a15 = \"@(#)myy.h : \"\r\n $a16 = \"@(#)fic.h : \"\r\n $a17 = \"@(#)ree.h : \"\r\n $a18 = \"@(#)ree.c : \"\r\n $dev1 = \"\\\\Device\\\\fast16\"\r\n $dev2 = \"\\\\??\\\\fast16\"\r\n $pdb1 = \"C:\\\\buildy\\\\\"\r\n $pdb2 = \"driver\\\\fd\\\\i386\\\\fast16.pdb\"\r\n $devtype = { 68 7C A5 00 00 } // push 0A57Ch ; DeviceType\r\n $api1 = {50 C6 45 D4 16 C6 45 D5 2B C6 45 D6 12 C6 45 D7 3F C6 45 D8 3F C6 45 D9 3C C6 45 DA\r\n $api2 = {C6 45 A8 16 C6 45 A9 2B C6 45 AA 12 C6 45 AB 3F C6 45 AC 3F C6 45 AD 3C C6 45 AE 30\r\n $api3 = {C6 45 E4 16 C6 45 E5 2B C6 45 E6 15 C6 45 E7 21 C6 45 E8 36 C6 45 E9 36 C6 45 EA 03\r\n $api4 = {C6 45 C0 16 C6 45 C1 2B C6 45 C2 15 C6 45 C3 21 C6 45 C4 36 C6 45 C5 36 C6 45 C6 03\r\n condition:\r\n filesize \u003c 10MB and\r\n ( uint16(0)==0x5a4d and\r\n ( ( 2 of ($pdb*) ) or\r\nhttps://www.sentinelone.com/labs/fast16-mystery-shadowbrokers-reference-reveals-high-precision-software-sabotage-5-years-before-stuxnet/\r\nPage 18 of 20\n\n( $pdb1 and 1 of ($a*) ) or\r\n (\r\n pe.machine == pe.MACHINE_I386 and\r\n pe.subsystem == pe.SUBSYSTEM_NATIVE) or\r\n any of ($api*) or\r\n 2 of ($dev*))) or\r\n ( 6 of ($a*))\r\n}\r\nrule clean_fast16_patchtarget {\r\n meta:\r\n author = \"SentinelLABS/vk\"\r\n last_modified = \"2026-04-15\"\r\n description = \"Detects fast16 patch target software (most probably clean)\"\r\n hash = \"8fcb4d3d4df61719ee3da98241393779290e0efcd88a49e363e2a2dfbc04dae9\"\r\n strings:\r\n $el0 = { 48 89 84 24 9C 00 00 00 4B 0F 8F 79 FF FF FF 00 }\r\n $el10 = { D8 E1 D9 5D FC D9 04 00 }\r\n $el12 = { 55 8B EC 83 EC 14 53 56 57 8B 3D ?? ?? ?? ?? 8B 0D 00 }\r\n $el13 = { 89 4D C8 8B FB 8B C8 00 }\r\n $el14 = { 8B 4C 24 0C 8B 01 83 F8 63 00 }\r\n $el16 = { 39 2D ?? ?? ?? ?? 0F 84 F4 00 00 00 8B 35 ?? ?? ?? ?? 2B 35 }\r\n $el2 = { 7C 02 89 C6 89 35 ?? ?? ?? ?? 89 B4 24 D0 }\r\n $el23 = { 83 3D ?? ?? ?? ?? 00 0F 84 70 BD FF FF 00 }\r\n $el25 = { BE 07 00 00 00 BF 04 00 00 00 BB 02 00 00 00 00 }\r\n $el26 = { 8B 4D 10 C1 E2 04 8B 19 83 EA 30 8B CB 49 }\r\n $el28 = { 8D 1D ?? ?? ?? ?? 52 8D 05 ?? ?? ?? ?? 51 8D 15 ?? ?? ?? ?? 8D 0D ?? ?? ?? ?? 53 50\r\n $el3 = { 0F 8F A5 00 00 00 A1 ?? ?? ?? ?? 83 F8 14 7D 0D }\r\n $el30 = { 8B 5D B0 0F 85 ?? ?? ?? ?? 8D 34 9D ?? ?? ?? ?? 8D 14 9D 00 0F 8E 1B 03 00 00 D9 05\r\n $el31 = { 8B 45 44 6B 00 04 D9 05 ?? ?? ?? ?? D8 B0 }\r\n $el32 = { E9 7E 04 00 00 8B 74 24 1C 8B 54 24 14 85 }\r\n $el33 = { 83 39 63 0F 85 21 03 00 00 8B EE 85 F6 0F }\r\n $el34 = { 85 DB 8B 55 D4 75 2C 89 35 00 }\r\n $el36 = { 75 18 8D 35 ?? ?? ?? ?? 56 8D 3D 00 }\r\n $el37 = { 8D 1D ?? ?? ?? ?? 52 8D 05 ?? ?? ?? ?? 51 8D 15 ?? ?? ?? ?? 8D 0D ?? ?? ?? ?? 53 50\r\n $el39 = { D8 34 85 ?? ?? ?? ?? 8B 44 ?? ?? 8B CA 00 }\r\n $el4 = { 8B 5D 0C 8B 55 08 8B 36 8B 00 }\r\n $el40 = { 8D 04 BD ?? ?? ?? ?? 03 DF 00 }\r\n $el41 = { 8B EE 85 F6 0F 8E ?? ?? ?? ?? 8D 1C BD 00 }\r\n $el42 = { D9 04 9D ?? ?? ?? ?? 83 ED 04 05 10 00 00 00 D8 0D 00 }\r\n $el43 = { 75 2C 89 35 ?? ?? ?? ?? 89 05 ?? ?? ?? ?? 89 15 }\r\n $el45 = { 89 55 F4 8B F9 8B D3 03 FB C1 E2 02 89 35 }\r\n $el46 = { 40 23 72 65 63 24 65 69 69 6E 20 2E 30 24 D9 5D 00 D9 03 D8 0D ?? ?? ?? ?? D8 0D 00\r\n $el49 = { DF E0 F6 C4 41 A1 ?? ?? ?? ?? 74 5A }\r\n $el51 = { FF 35 ?? ?? ?? ?? E8 ?? ?? ?? ?? 9D D9 E0 D9 1D ?? ?? ?? ?? 8B 4C }\r\n $el53 = { 6A 46 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 6A 03 }\r\nhttps://www.sentinelone.com/labs/fast16-mystery-shadowbrokers-reference-reveals-high-precision-software-sabotage-5-years-before-stuxnet/\r\nPage 19 of 20\n\n$el56 = { D8 05 ?? ?? ?? ?? D9 55 00 9C }\r\n $el59 = { C2 08 00 A1 ?? ?? ?? ?? 8B 0C 85 ?? ?? ?? ?? 89 0E 00 }\r\n $el6 = { 83 EC 04 53 E8 ?? ?? ?? ?? EB 09 83 EC 04 53 00 }\r\n $el61 = { D8 1D ?? ?? ?? ?? DF E0 F6 C4 41 B8 00 00 00 00 75 05 B8 01 00 00 00 85 C0 74 11 6A\r\n $el63 = { 2B DA 89 3C 03 83 3D 00 }\r\n $el68 = { D9 5D C0 8B 4D C0 D9 45 E0 89 0E 00 }\r\n $el70 = { 8B 05 ?? ?? ?? ?? 8B 0D ?? ?? ?? ?? 0F 85 7E 00 00 00 0F AF 15 00 }\r\n $el73 = { B9 01 00 00 00 C1 E7 02 8B BF ?? ?? ?? ?? 8B D7 85 FF 8B 55 30 8B 45 30 D8 C9 8B 75\r\n $el75 = { 2B FB 8B DE C1 E3 02 89 7D A0 03 5D A0 8B 03 F7 F7 DB 0C 02 89 35 }\r\n $el80 = { 0F 0F 94 C0 23 C3 33 D2 }\r\n $el81 = { 8B 55 30 8B 75 2C D8 C9 8B 45 30 00 }\r\n $el83 = { DD 05 ?? ?? ?? ?? 8B 05 ?? ?? ?? ?? 8B 15 ?? ?? ?? ?? 0F AF 05 ?? ?? ?? ?? 8B 1D ??\r\n $el89 = { 68 28 00 00 00 57 E8 ?? ?? ?? ?? 8B 1D ?? ?? ?? ?? 8B 35 ?? ?? ?? ?? 0F AF 1D ?? ??\r\n $el94 = { 8B 75 38 8B 4D 34 D8 C9 8B 00 }\r\n $el96 = { 8B 55 88 8B 5D B0 83 7D 84 01 }\r\n $el97 = { 55 8B EC 83 EC 2C 33 D2 53 56 57 8B }\r\n $el99 = { 55 8B EC 83 EC 2C B9 46 00 00 00 53 56 57 8B 00 }\r\n condition:\r\n filesize \u003c 20MB and\r\n uint16(0) == 0x5A4D and\r\n 2 of them\r\n}\r\nrule apt_fast16_patch {\r\nmeta:\r\nauthor = \"SentinelLABS/vk\"\r\nlast_modified = \"2026-04-15\"\r\ndescription = \"Detects the fast16 patch code. May be present in statically patched fi\r\nhash = \"0ff6abe0252d4f37a196a1231fae5f26\"\r\nstrings:\r\n$p1 = { 55 88 50 53 52 51 8D 64 24 94 DD 34 24 51 E8 ?? ?? ?? ?? 59 81 E9 14 00 00 00\r\n$p2 = { 59 81 E9 EE 00 00 00 6A 02 BB B4 05 00 00 01 CB C6 03 EB 43 C6 03 15 8B 44 24\r\n$p3 = { 50 53 52 51 E8 ?? ?? ?? ?? 59 81 E9 78 01 00 00 D9 99 C4 0F 00 00 8D 64 24 94\r\ncondition:\r\nany of them\r\n}\r\nSource: https://www.sentinelone.com/labs/fast16-mystery-shadowbrokers-reference-reveals-high-precision-software-sabotage-5-years-before-s\r\ntuxnet/\r\nhttps://www.sentinelone.com/labs/fast16-mystery-shadowbrokers-reference-reveals-high-precision-software-sabotage-5-years-before-stuxnet/\r\nPage 20 of 20",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.sentinelone.com/labs/fast16-mystery-shadowbrokers-reference-reveals-high-precision-software-sabotage-5-years-before-stuxnet/"
	],
	"report_names": [
		"fast16-mystery-shadowbrokers-reference-reveals-high-precision-software-sabotage-5-years-before-stuxnet"
	],
	"threat_actors": [],
	"ts_created_at": 1778121778,
	"ts_updated_at": 1778121851,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/cc8a8134664541c3006bc77eafd6c670f5dd8760.pdf",
		"text": "https://archive.orkl.eu/cc8a8134664541c3006bc77eafd6c670f5dd8760.txt",
		"img": "https://archive.orkl.eu/cc8a8134664541c3006bc77eafd6c670f5dd8760.jpg"
	}
}