惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

D
Docker
爱范儿
爱范儿
人人都是产品经理
人人都是产品经理
博客园 - 司徒正美
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
量子位
罗磊的独立博客
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
小众软件
小众软件
C
Cybersecurity and Infrastructure Security Agency CISA
Cyberwarzone
Cyberwarzone
大猫的无限游戏
大猫的无限游戏
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
雷峰网
雷峰网
Simon Willison's Weblog
Simon Willison's Weblog
The Cloudflare Blog
博客园 - 三生石上(FineUI控件)
D
Darknet – Hacking Tools, Hacker News & Cyber Security
C
Cyber Attacks, Cyber Crime and Cyber Security
博客园_首页
博客园 - 叶小钗
V
Vulnerabilities – Threatpost
T
The Exploit Database - CXSecurity.com
T
Tailwind CSS Blog
IT之家
IT之家
博客园 - 聂微东
Spread Privacy
Spread Privacy
V2EX - 技术
V2EX - 技术
S
Security Affairs
宝玉的分享
宝玉的分享
V
V2EX
C
Cisco Blogs
博客园 - Franky
美团技术团队
酷 壳 – CoolShell
酷 壳 – CoolShell
月光博客
月光博客
S
Securelist
J
Java Code Geeks
Webroot Blog
Webroot Blog
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
P
Proofpoint News Feed
Last Week in AI
Last Week in AI
L
LINUX DO - 热门话题
NISL@THU
NISL@THU
WordPress大学
WordPress大学
W
WeLiveSecurity
T
Threatpost
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
腾讯CDC
阮一峰的网络日志
阮一峰的网络日志

WIRED

‘Avatar: Aang, The Last Airbender’ Leaked Online. Some Fans Say Paramount Deserves the Fallout NASA Wants to Put Nuclear Reactors on the Moon AI Could Democratize One of Tech's Most Valuable Resources Microsoft Surface PCs Are Getting Big Price Hikes, and the Cheaper Models Are Going Away Why Amazon Is Buying Globalstar—and What It Means for Your iPhone The US Government Will Ask Data Centers How Much Power They Use MAGA Is Starting to Look Beyond Trump Allbirds Is Pivoting to AI Compute. Sure, Why Not Best Smart Smoke Detector (and Why You Still Need a Dumb One) 12 Best Standing Desks of 2026, Tested and Reviewed Best Wi-Fi Routers of 2026 for Working, Gaming, and Streaming Best GoPro Camera (2026): Compact, Budget, Accessories The Caves That Could Help Us Find, or Become, Aliens AI Slop Is Making the Internet Fake-Happy The Deepfake Nudes Crisis in Schools Is Much Worse Than You Thought In the Wake of Anthropic’s Mythos, OpenAI Has a New Cybersecurity Model—and Strategy Telegram Is Still Hosting a Sanctioned $21 Billion Crypto Scammer Black Market The FCC Has a Fast Lane for Complaints About Trump’s Media Critics Top iRestore Deals for Hair Growth and LED Therapy Devices Meta Is Warned That Facial Recognition Glasses Will Arm Sexual Predators You Should Be More Freaked Out by Shingles BYD’s Fastest-Charging Car in the World Is Astonishing—in Good and Bad Ways The 4 Best Water Filter Pitchers (2026): PFAS, Microplastics The Internet's Most Powerful Archiving Tool Is in Peril The Dumbest Hack of the Year Exposed a Very Real Problem AI Agents Are Coming for Your Dating Life ‘The Audacity’ Is the Broligarchy Takedown You Were Waiting For Why Is It So Hard to Fix an Electric Bike? (2026) Best 2-in-1 Laptops (2026): Microsoft, Lenovo, and the iPad There’s a Secret Ingredient to Making Luxury Ice at Home The Screen Time Legends Who Won't Put Down Their Phones Mammotion’s Spino E1 Is Affordable but Doesn’t Quite Deliver You Don’t Have to Drink Lukewarm Coffee Ever Again. Get a Warmer Zuvi ColorBox Review: Please Just Go to a Professional MacBook Neo vs. MacBook Air: Which One Should You Buy? Best Electric Cargo Bikes (2026): Urban Arrow, Lectric, Tern, and More ‘Crimson Desert’ Is a Cat Dad Simulator Your Push Notifications Aren’t Safe From the FBI Flight Path Data Shows How Mosquitoes Target Humans How the Internet Broke Everyone’s Bullshit Detectors The All-Clad Factory Seconds Sale Is Back—for Now (2026) Artemis II Astronauts Safely Return to Earth After Historic Flight Around the Moon Home Depot Spring Black Friday (2026): Best Tool and Grill Deals Motorola’s Souped-Up Folding Phone Is Almost Half Off Anthropic’s Mythos Will Force a Cybersecurity Reckoning—Just Not the One You Think The Future of the Artemis Program Is Riding on Reentry Suspect Arrested for Allegedly Throwing Molotov Cocktail at Sam Altman’s Home "Uncanny Valley": OpenAI and Musk Fight Again; DOJ Mishandles Voter Data; Artemis II Comes Home This Clever Bike Bell Can Even Be Heard by People Wearing Noise-Canceling Headphones This Startup Wants You to Pay Up to Talk With AI Versions of Human Experts I Did Not Catch Air on the Aventon Current Electric Mountain Bike, but I Could Have Best Smart Shades, Blinds, and Curtains (2026): Motorized, Tailor-Made, and More How 'Democracy Now!' Became the Blueprint for Indie Media AI Podcasters Really Want to Tell You How to Keep a Man Happy Irrigreen's New Smart Irrigation System Promises Smart Watering Without the Hassle—Almost No One Knows Where US Vaccine Policy Goes Next I Tried Asus' First Open Earbuds for Gamers Meta’s New AI Asked for My Raw Health Data—and Gave Me Terrible Advice How and When to Watch the Artemis II Mission’s Return to Earth Naturepedic Promo Codes: Get 20% Off Plus Free Pillows Hungryroot Coupon Codes: 30% Off This April Govee Discount Codes and Deals: 30% Off We-Vibe Coupon Offers: Couples’ Toys and Gift Set Discounts Sealy Promo Code: Save $200 on Mattresses This Month OpenAI Backs Bill That Would Limit Liability for AI-Enabled Mass Deaths or Financial Disasters China Is Cracking Down on Scams. Just Not the Ones Hitting Americans The 70-Person AI Image Startup Taking on Silicon Valley's Giants Save $20 on This Already Inexpensive Wireless Mic Set John Deere Is Paying Farmers $99 Million for Allegedly Monopolizing Repair The Iran War Is Tearing MAGA Influencers Apart The FBI Didn’t Answer Texts From Minnesota Investigators for Days After Renee Good’s Killing The Pro-Iran Meme Machine Trolling Trump With AI Lego Cartoons Ridge Wallet Review: A Beacon for the Overencumbered How Meta Cafeteria Workers Took on ICE—and Won Get Peace of Mind With This GPS and Activity Tracker for Pets I Asked Netflix’s Reality TV Boss Why So Many Men On Dating Shows Are Terrible I Tried TCL’s Samsung Frame Competitor and It Didn’t Compare Politicians Are Spending More Money on Security as They Increasingly Become Targets This AI Wearable From Ex-Apple Engineers Looks Like an iPod Shuffle Artemis II Astronauts Witnessed 6 Meteorites Colliding With the Moon Medicube Coupon Code: 40% Off for April 2026 Top Instacart Promo Code: $15 Off for July 2026 Vivid Seats Promo Codes and Deals: Get 10% Off Birdfy Discount Codes: 15% Off Sitewide Google Workspace Promo Codes: 14% Off for June Paramount+ Coupon Codes and Deals for June 2026 NZXT Discount Codes: 50% Off in June 2026 LG Promo Codes and Coupons for June 2026 AT&T Promo Codes: $50 Off This June 2026 TurboTax Full Service Coupons This June Top Peacock Promo Codes: 40% Off June 2026 Therabody Promo Codes: 15% Off June 2026 Surfshark Promo Codes: 87% Off | June 2026 Nomad Goods Promo Codes: Get 25% Off in June 2026 20% Off Sephora Promo Code | June 2026 30% Off Canon Promo Codes | June 2026 Factor Promo Codes for July 2026 Top Dell Coupon Codes: 20% Off for June 2026 Walmart Promo Codes: Up to 65% Off for June 2026 What Is the Best Fitness Tracker in 2026? Garmin, Oura, More
Newly Deciphered Sabotage Malware May Have Targeted Iran’s Nuclear Program—and Predates Stuxnet
Andy Greenbe · 2026-04-24 · via WIRED

Researchers have finally cracked Fast16, mysterious code capable of silently tampering with calculation and simulation software. It was created in 2005—and likely deployed by the US or an ally.

Photo Illustration of IRAN map with Scissors in front cutting wires

Photo-Illustration; Jobanny Cabrera: Getty Images

In the history of state-sponsored hacking, the spectrum of cyber operations bent on sabotage have ranged from crude “wiper” attacks that destroy data on target computers to the legendary Stuxnet, a piece of malware the US and Israel first deployed in Iran in 2007 to silently accelerate the spinning of nuclear enrichment centrifuges until they destroyed themselves. Now researchers have discovered another chapter in that decades-long evolution of cybersabotage techniques: a 21-year-old specimen of malware capable of tampering with research and engineering software to undetectably sow mayhem—one that may have been used in Iran, even before Stuxnet.

Vitaly Kamluk and Juan Andrés Guerrero-Saade, two researchers from the cybersecurity firm SentinelOne, on Thursday revealed a breakthrough in the mystery of a piece of malware known as Fast16, a piece of code whose purpose has eluded the cybersecurity world since its existence was first revealed in an NSA leak in 2017. The SentinelOne researchers have now reverse-engineered the Fast16 code, which they say dates back to 2005 and was likely created by either the US government or one of its allies.

Kamluk and Guerrero-Saade have determined that the Fast16 malware was designed to carry out the most subtle form of sabotage ever seen in an in-the-wild malware tool: By automatically spreading across networks and then silently manipulating computation processes in certain software applications that perform high-precision mathematical calculations and simulate physical phenomena, Fast16 can alter the results of those programs to cause failures that range from faulty research results to catastrophic damage to real-world equipment.

“It focuses on making slight alterations to these calculations so that they lead to failures—very subtle ones, perhaps not immediately apparent. Systems might wear out faster, collapse, or crash, and scientific research could yield incorrect conclusions, potentially causing serious harm,” says Kamluk, who along with Guerrero-Saade will present their Fast16 findings at the cybersecurity conference Black Hat Asia in Singapore. “It is a nightmare, to be honest.”

In their analysis of Fast16, Kamluk and Guerrero-Saade found three potential types of physical simulation software that the malware might have been designed to tamper with: Modelo Hidrodinâmico (or MOHID) software created by Portuguese developers for modeling water systems; Chinese construction engineering software known as PKPM; and, perhaps most significantly, the physical simulation software LS-DYNA, an application originally created by scientists who had worked at US Lawrence Livermore National Laboratory, which is now used in modeling everything from collisions between birds and airplanes to the tensile strength of crane components.

Among all those possibilities, Kamluk and Guerrero-Saade point to evidence for one theory in particular: LS-DYNA was also used by Iranian scientists carrying out research that may have contributed to its nuclear weapons program, according to the Institute for Science and International Security. That institute also noted that the software can be used for modeling physics problems related to nuclear weapons research such as the interaction of metals in a nuclear weapon and the impact of a ballistic missile's reentry into the Earth's atmosphere on a nuclear warhead.

All of that suggests that Fast16 might have been used in the mid-2000s specifically to subvert Iran's attempt to gain nuclear weapons, perhaps even years before Stuxnet was deployed to achieve the same result through a more direct form of sabotage, as part of a joint program carried out by the NSA and Israel's Unit 8200 hackers known as Olympic Games.

“It's not beyond the pale that what we're looking at is an early predecessor to Olympic Games. It fits the bill, right?” says Guerrero-Saade. “We want to be good, objective researchers, but this is really not a stretch.”

Regardless of whether that theory holds true, the new analysis of Fast16 rewrites the history of state-sponsored hacking, says Thomas Rid, the director of the Alperovitch Institute for Cybersecurity Studies at Johns Hopkins University. “It means that deceptive sabotage operations have been part of the cyber playbook from much earlier than we thought, perhaps even from the beginning,” says Rid. “And it also looks like they were much stealthier than we understood.”

“Nothing to See Here—Carry On”

The mystery of Fast16 first came to light in April of 2017, after the still-unidentified hacker group known as Shadow Brokers somehow obtained and leaked a vast collection of NSA tools onto the open internet. One of those tools, labeled Territorial Dispute, appeared to be designed to help NSA operators who were hacking into networks around the world avoid conflicts with other hacking operations. The tool, first analyzed in depth by Hungarian researcher Boldizsár Bencsáth, included a long list of malware specimens, including some that were used by the NSA and other “friendly” agencies, as well as instructions on when to “pull back” to avoid detection by an adversary's intrusion operation.

Among the listed samples was one with a wholly unique label. For the malware referred to as “fast16," the Territorial Dispute tool told NSA operators “NOTHING TO SEE HERE—CARRY ON.” That strange instruction, researchers have speculated in the years since, likely means that Fast16 was the work of the NSA, another agency or contractor within the US intelligence community, or the intelligence agency of an ally—and that NSA hackers shouldn't interfere with it.

Since the ShadowBrokers' leak didn't appear to include any piece of software actually called Fast16, however, everything else about the malware remained unknown. Only in 2019 did Guerrero-Saade find a sample of Fast16 hidden in the archives of VirusTotal, the Google-owned tool that serves as a repository of malware code. Searching for malware samples that included within their code a specific engine for running the Lua programming language—a trait that had appeared previously in multiple highly sophisticated pieces of state-sponsored malware—Guerrero-Saade found an innocuous-looking application called svcmgmt.exe.

On closer examination, Guerrero-Saade discovered it contained a kernel driver—a piece of code designed to run at the deepest, most highly-privileged level of an operating system—called Fast16.sys, which appeared to have been compiled in 2005. (Guerrero-Saade declined to say who had uploaded the code to VirusTotal, because VirusTotal discourages users from trying to identify uploaders.)

Yet in spite of Guerrero-Saade's discovery, it would take seven more years for anyone to determine what Fast16 actually did. Within the relatively small community of cybersecurity researchers interested in 14-year-old malware samples, most assumed at a first glance that it was a type of malware known as a rootkit, which takes the form of a kernel driver to better hide itself on a computer, typically for stealthy spying.

Only three months ago did Guerrero-Saade's colleague at SentinelOne, Kamluk, decide to try reverse-engineering the Fast16 malware as part of an experiment in comparing his own skills to those of AI tools. Just two weeks ago, he made a surprising discovery: Fast16 was not a rootkit. (Five different top AI tools incorrectly said that it was.)

Instead, Kamluk saw that it was a self-spreading piece of code with very different intentions. Using what was referred to within the code as “wormlet” functionality, Fast16 is designed to copy itself to other computers on the network via Windows’ network share feature. It checks for a list of security applications, and if none are present, installs the Fast16.sys kernel driver on the target machine.

That kernel driver then reads the code of applications as they're loaded into the computer's memory, monitoring for a long list of specific patterns—“rules” that allow it to identify when a target application is running. When it detects the target software, it carries out its apparent goal: silently altering the calculations the software is running to imperceptibly corrupt its results.

“This actually had a very significant payload inside, and pretty much everybody who looked at it before had missed it,” says Costin Raiu, a researcher at security consultancy TLP:Black who previously led the team that included Kamluk and Guerrero-Saade at Russian security firm Kaspersky, which did early work analyzing Stuxnet and related malware. “This is designed to be a long-term, very subtle sabotage which probably would be very, very difficult to notice.”

Searching for software that met the criteria of Fast16's “rules” for an intended sabotage target, Kamluk and Guerrero-Saade found their three candidates: the MOHID, PKPM, and LS-DYNA software. As for the “wormlet” feature, they believe that the spreading mechanism was designed so that when a victim double-checks their calculation or simulation results with a different computer in the same lab, that machine, too, will confirm the erroneous result, making the deception all the more difficult to discover or understand.

In terms of other cybersabotage operations, only Stuxnet is remotely in the same class as Fast16, Guerrero-Saade argues. The complexity and sophistication of the malware, too, place it in Stuxnet's realm of high-priority, high-resource state-sponsored hacking. “There are few scenarios where you go through this kind of development effort for a covert operation,” Guerrero-Saade says. “Somebody bent a paradigm in order to slow down or damage or throw off a process that they considered to be of critical importance.”

The Iran Hypothesis

All of that fits the hypothesis that Fast16 might, like Stuxnet, have been aimed at disrupting Iran's ambitions of building a nuclear weapon. TLP:Black's Raiu argues that, beyond a mere possibility, targeting Iran represents the most likely explanation—a “medium-high confidence” theory that Fast16 was “designed as a cyber strike package” that targeted Iran's AMAD nuclear project, a plan by the regime of Ayatollah Khameini to obtain nuclear weapons in the early 2000s.

“This is another dimension of cyberattacks, another way to to wage this cyberwar against Iran's nuclear program,” Raiu says.

In fact, Guerrero-Saade and Kamluk point to a paper published by the Institute for Science and International Security, which collected public evidence of Iranian scientists carrying out research that could contribute to the development of a nuclear weapon. In several of those documented cases, the scientists' research used the LS-DYNA software that Guerrero-Saade and Kamluk found to have been a potential Fast16 target.

One study, ISIS's paper notes, used LS-DYNA to compare the properties of two different explosives, PBXN-110 and Octol, that could be used to trigger a nuclear warhead. Octol, the paper notes, was a key component of Iran's AMAD project. Though that research paper comparing explosives' properties was published in 2018, Guerrero-Saade and Kamluk point out that LS-DYNA has been in use for decades, including during the time of the AMAD project.

The researchers note, too, that Fast16 could well have been used more than once against different targets, even in different countries. The malware's code includes evidence of a “version control” system, along with clues that the sample Guerrero-Saade and Kamluk analyzed wasn't the first or only version of the tool. They and Raiu all point out—without drawing any conclusions—that North Korea's nuclear weapons development program also experienced numerous unexplained failures in the same time period. “With this level of development, they didn't make this to run it just one time,” says Guerrero-Saade.

Synopsys, the California-based company that today maintains and sells LS-DYNA, declined WIRED's request for comment. WIRED also reached out to the developers of MOHID and the China Academy of Building Research, which develops PKPM, but didn't receive a response from either organization.

Neither the NSA nor the Office of the Director of National Intelligence responded to WIRED's request for comment.

Hypotheses about its target aside, Kamluk says the existence of a 21-year-old malware specimen capable of nearly undetectable tampering with safety-critical research and engineering represents a deeply disturbing, even paranoia-inducing discovery—one that makes him question his trust in the computers that have assured the safety of everything from trains to airplanes.

“For any kind of disaster or catastrophe where people died in an accident,” Kamluk says, “you don't want to nurture these fears, but it naturally comes up: Was there a cyber angle?”

The fact that Fast16 remained undetected for so long, however, suggests that it was likely used against only a small number of targets to maintain its stealth, says Johns Hopkins' Rid. That should offer anyone unnerved by the discovery of Fast16 some reassurance that their computers can still be trusted, he says—except for those who might actually be the target of a rare and highly sophisticated state-sponsored hacking operation.

For those few potential victims, he says, Fast16 should rightfully induce distrust not just in today's computers, but in everything those machines have calculated, potentially stretching back decades. “If you're a very high-value intelligence target like a nuclear program in a country with potent adversaries, then maybe you can't trust your computers,” Rid says. “And even worse: you could never trust them.”

  • In your inbox: Will Knight's AI Lab explores advances in AI

  • Big Story: The snake bros getting bitten by their lethal pets

Andy Greenberg is a senior writer for WIRED covering hacking, cybersecurity, and surveillance. He’s the author of the books Tracers in the Dark: The Global Hunt for the Crime Lords of Cryptocurrency and Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers. His books ... Read More

Read More