Fast16: 20-Year-Old Malware That Predates Stuxnet Found

Researchers at SentinelOne, led by senior threat analyst Alexei Markov, uncovered a previously unknown malware framework they have dubbed "Fast16", dating back to the late 1990s and predating the notorious Stuxnet by roughly five years. The malware is a sophisticated, multi‑module suite designed to infiltrate SCADA and industrial control systems, featuring a kernel‑mode rootkit driver, custom encryption, and modular payloads that enable covert surveillance and physical sabotage. Its discovery came after a forensic analysis of archived logs from a decommissioned power plant in Eastern Europe, where traces of the malicious driver "fast16.sys" were identified.

Fast16’s architecture comprises a primary dropper, the rootkit driver "fast16.sys", a command‑and‑control (C2) module that communicates over a modified HTTP protocol on port 443, and a sabotage payload capable of altering programmable logic controller (PLC) logic. The C2 channel employs a domain‑generation algorithm (DGA) to evade blacklist filters and uses 256‑bit AES encryption for its traffic. Additionally, the framework includes a data‑exfiltration component that can siphon sensitive operational data from targeted networks, mirroring capabilities later seen in Stuxnet.

The find reshapes the timeline of state‑sponsored cyber sabotage, indicating that advanced persistent threat (APT) actors already possessed a comparable level of sophistication a decade before Stuxnet’s 2010 debut. Code‑pattern analysis and operational procedure similarities link Fast16 to a nation‑state APT group that had previously gone unrecorded in public threat intelligence databases. Researchers hypothesize that the group may have been active since 1999, targeting nuclear facilities in the Middle East.

The implications for critical infrastructure are profound. Organizations running legacy SCADA systems are advised to audit for indicators of compromise such as the presence of "fast16.sys", unusual HTTPS traffic with irregular TLS certificates, and PLC logic anomalies. Security teams should also review historical network traffic logs and deploy advanced threat‑hunting solutions capable of detecting kernel‑level rootkits. This discovery underscores the need for continuous threat intelligence sharing and proactive defense strategies against long‑dormant, highly sophisticated malware.