TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

SentinelOne Labs

fast16 | Mystery ShadowBrokers Reference Reveals High-Precision Software Sabotage 5 Years Before Stuxnet

Vitaly Kamluk & Juan Andrés Guerrero-Saade · 2026-04-23 · Read original ↗

ATT&CK techniques detected

21 predictions
T1012Query Registry
80%
"present in their target networks whose detection technology would threaten the stealthiness of a covert operation : hklm \ software \ symantec \ installedapps hklm \ software \ sygate technologies, inc. \ sygate personal firewall hklm \ software \ trendmicro \ pfw hklm \ software…"
T1569.002Service Execution
79%
"##let found in svcmgmt. exe ( the scm wormlet ) exemplifies a simple but effective propagation strategy based on native windows capabilities and weak network security. it targets windows 2000 / xp environments and relies on default or weak administrative passwords on file shares.…"
T1112Modify Registry
79%
"##f 5e e5 c1 1a 17 6a 4e b9 94 52 1b dc c6 60 ca c7 } $ e10 = { b3 9c a3 f1 12 cc 52 74 34 5f 87 43 32 21 36 7b 2a } $ rk1 = " hkey _ local _ machine \ \ software \ \ symantec \ \ installedapps " $ rk2 = " hkey _ local _ machine \ \ software \ \ sygate technologies, inc. \ \ syga…"
T1036.005Match Legitimate Resource Name or Location
75%
"indicators of compromise name fast16. sys md5 0ff6abe0252d4f37a196a1231fae5f26 sha1 92e9dcaf7249110047ef121b7586c81d4b8cb4e5 sha256 07c69fc33271cf5a2ce03ac1fed7a3b16357aec093c5bf9ef61fbfa4348d0529 name connotify. dll md5 410eddfc19de44249897986ecc8ac449 sha1 675cb83cec5f25ebbe8d9…"
T1055.001Dynamic-link Library Injection
72%
"##af4d97da420681e2e0b55b8c9ce2b8de75e330993b759a0 file size 11849728 bytes file type pe32 executable for ms windows 4. 00 ( gui ), intel i386, 4 sections link time 2005 - 12 - 01 08 : 35 : 46 utc md5 e0c10106626711f287ff91c0d6314407 sha1 650fc6b3e4f62ecdc1ec5728f36bb46ba0f74d05 s…"
T1068Exploitation for Privilege Escalation
69%
"pe32 executable for ms windows 5. 00 ( native ), intel i386, 5 sections link time 2005 - 07 - 19 15 : 15 : 41 utc ( 0x42dd191d ) this kernel driver is a boot - start filesystem component that intercepts and modifies executable code as it ’ s read from disk. although a driver of t…"
T1036Masquerading
60%
"indicators of compromise name fast16. sys md5 0ff6abe0252d4f37a196a1231fae5f26 sha1 92e9dcaf7249110047ef121b7586c81d4b8cb4e5 sha256 07c69fc33271cf5a2ce03ac1fed7a3b16357aec093c5bf9ef61fbfa4348d0529 name connotify. dll md5 410eddfc19de44249897986ecc8ac449 sha1 675cb83cec5f25ebbe8d9…"
T1547.006Kernel Modules and Extensions
59%
"stack, resolves kernel apis dynamically using a simple xor ‑ based string cipher and a scan of ntoskrnl. exe, and exposes \ device \ fast16 and \?? \ fast16 with a custom devicetype value 0xa57c, which serves as a secondary forensic marker. the driver registers with ioregisterfsr…"
T1055.001Dynamic-link Library Injection
56%
"artefacts once activated, fast16. sys focuses on executable files. a file is a valid target if it meets two criteria : the filename ends with. exe. immediately after the last pe section header, there is a printable ascii string starting with intel. this selection logic points to …"
T1071.001Web Protocols
55%
"be 07 00 00 00 bf 04 00 00 00 bb 02 00 00 00 00 8b 4d 10 c1 e2 04 8b 19 83 ea 30 8b cb 49 8d 1d???????? 52 8d 05???????? 51 8d 15???????? 8d 0d???????? 53 50 52 51 56 57 e8???????? 83 c4 38 eb 0e 83 ec 04 00 0f 8f a5 00 00 00 a1???????? 83 f8 14 7d 0d 8b 5d b0 0f 85???????? 8d 34…"
T1055.001Dynamic-link Library Injection
55%
"##34df766aa1dc9e3525 type pe32 executable for ms windows 4. 00 ( console ), intel i386 link time 2005 - 08 - 30 18 : 15 : 06 utc a closer look reveals an embedded lua 5. 0 virtual machine and an encrypted bytecode container unpacked by the service entry point. the developers exte…"
T1055.001Dynamic-link Library Injection
52%
"##32 dll ( i386, 4 sections ) when invoked, the dll decodes an obfuscated string to obtain the named pipe \ \. \ pipe \ p577, attempts to connect to the local pipe, and writes the remote and local connection names to the pipe before closing it. the module doesn ’ t run independen…"
T1547.006Kernel Modules and Extensions
51%
"pe32 executable for ms windows 5. 00 ( native ), intel i386, 5 sections link time 2005 - 07 - 19 15 : 15 : 41 utc ( 0x42dd191d ) this kernel driver is a boot - start filesystem component that intercepts and modifies executable code as it ’ s read from disk. although a driver of t…"
T1543.003Windows Service
48%
"to “ pull back ” in order to avoid clashes with competing nation - state hacking operations. the guidance for one particular driver, ‘ fast16 ’, stands out as both unique and particularly unusual. the string inside svcmgmt. exe provided the key forensic link in this investigation…"
T1068Exploitation for Privilege Escalation
45%
"or more patterns. those matches, however, shared a clear theme. they were precision calculation tools in specialised domains such as civil engineering, physics and physical process simulations. the fpu patch in fast16. sys was written to corrupt these routines in a controlled way…"
T1059.011Lua
40%
"– carry on * * * ” overview our investigation into fast16 starts with an architectural hunch. a certain tier of apex threat actors has consistently relied on embedded scripting engines as a means of modularity. flame, animal farm ’ s bunny, ‘ plexingeagle ’, flame 2. 0, and proje…"
T1068Exploitation for Privilege Escalation
37%
"##32 dll ( i386, 4 sections ) when invoked, the dll decodes an obfuscated string to obtain the named pipe \ \. \ pipe \ p577, attempts to connect to the local pipe, and writes the remote and local connection names to the pipe before closing it. the module doesn ’ t run independen…"
T1055.001Dynamic-link Library Injection
36%
"start with the magic bytes 1b 4c 75 61 ( \ x1blua ), followed by a version byte, and the engine typically exposes a characteristic c api and environment variables such as lua _ path. hunting for these traits across mid - 2000s malware collections surfaced a sample that initially …"
T1055.001Dynamic-link Library Injection
36%
"##ra rules to hunt for these patterns in the appendix below. the data patching engine even after deep analysis, fast16 ’ s driver looks deceptively simple. beneath that minimal code is a rule - driven in - memory engine that quietly patches executable code as files are read from …"
T1059.006Python
35%
"– carry on * * * ” overview our investigation into fast16 starts with an architectural hunch. a certain tier of apex threat actors has consistently relied on embedded scripting engines as a means of modularity. flame, animal farm ’ s bunny, ‘ plexingeagle ’, flame 2. 0, and proje…"
T1027.011Fileless Storage
33%
"= " hkey _ local _ machine \ \ software \ \ norman data defense systems " $ rk16 = " hkey _ local _ machine \ \ software \ \ agnitum \ \ outpost firewall " $ rk17 = " hkey _ local _ machine \ \ software \ \ panda software \ \ firewall " $ rk18 = " hkey _ local _ machine \ \ softw…"

Summary

A previously unknown 2005 cyber sabotage framework patches high-precision calculation software in memory to silently corrupt results.