fast16 nuclear weapons sabotage malware
A new analysis of the Lua-based fast16 malware has confirmed that it was a cyber sabotage tool designed to tamper with nuclear weapons testing simulations, and the malware specifically targeted uranium-compression simulations central to nuclear weapon design.
The fast16 nuclear weapons sabotage malware was analyzed by Broadcom-owned Symantec and Carbon Black teams, and their findings build on previous research from SentinelOne which described fast16 as the first sabotage framework with components dating back to 2005.
The fast16 nuclear weapons sabotage malware predates the earliest known version of Stuxnet (Stuxnet 0.5) by approximately two years, and it represents a previously unknown chapter in the history of state-sponsored cyber sabotage.
The Uranium Compression Threshold
The fast16 nuclear weapons sabotage malware contains a specific density check that reveals its nuclear weapons targeting, the malware checks for the density of the material being simulated and only acts when that value passes 30 grams per cubic centimeter.
This threshold is significant because uranium can only reach this density under the shock compression of an implosion device, and the fast16 nuclear weapons sabotage malware was specifically designed to interfere with simulations of this exact physical process.
The Targeted Software
The fast16 nuclear weapons sabotage malware targets two specific software applications, LS-DYNA and AUTODYN, and both are used to simulate real-world problems such as vehicle crashworthiness, material modeling, and explosive simulation.
LS-DYNA is a general-purpose multiphysics simulation software package used for simulating crashes, impacts, and explosions, and it is now part of the Ansys Suite.
AUTODYN is another simulation software focused on explosive and impact dynamics, and both applications are used in nuclear weapons research to model how implosion devices compress uranium cores.
The fast16 nuclear weapons sabotage malware places hooks inside these simulation programs, and the tampering only activates during full-scale transient blast and detonation runs.
The Three Attack Strategies
Symantec and Carbon Black identified that the fast16 nuclear weapons sabotage malware consists of three attack strategies when tampering with LS-DYNA and AUTODYN simulations.
The hooks that fast16 places inside the simulation programs are triggered only during specific simulation types, and the fast16 nuclear weapons sabotage malware is selective about when it activates to avoid detection during routine or test simulations.
The attackers wanted to corrupt only the most critical simulations, those involving full-scale transient blasts and detonations that would be used to validate nuclear weapon designs.
The 101 Hook Rules
The fast16 nuclear weapons sabotage malware contains 101 hook rules that can be categorized further into 9 to 10 hook groups, and each group targets different builds of LS-DYNA or AUTODYN.
This level of granularity suggests that the developers of the fast16 nuclear weapons sabotage malware were keeping track of software updates over time, and they added support for different versions as they were released.
Symantec researchers noted that if hook rule groups were added sequentially as needed, they see a hook group added for a previous version of the software after a newer version, and this suggests that simulation users reverted to older versions when faced with anomalies before those older versions were also targeted.
The hook groups represent up to 10 different versions of simulation software, meaning the simulation user updated versions semi-frequently, and the fast16 nuclear weapons sabotage malware developers kept pace with those updates.
The Shadow Brokers Connection
The fast16 nuclear weapons sabotage malware investigation unearthed a reference to the string "fast16" in a text file that was leaked by the anonymous hacking group called The Shadow Brokers in 2017.
The file was part of a massive tranche of hacking tools and exploits allegedly used by the Equation Group, a state-sponsored threat actor with suspected ties to the U.S. National Security Agency (NSA).
This connection strongly suggests that the fast16 nuclear weapons sabotage malware was developed by a Western intelligence agency, most likely the NSA, and the tool was used in operations against nuclear weapons programs in other countries.
SentinelOne previously identified this link, and Symantec's new analysis confirms the connection while adding new technical details about the malware's targeting.
Domain Knowledge Required
The fast16 nuclear weapons sabotage malware required an extraordinary level of domain knowledge to design, and Symantec technical director Vikram Thakur told cybersecurity journalist Kim Zetter that the level of expertise and understanding required in 2005 is mind-blowing.
The developers needed to understand which equations of state matter, which calling conventions are produced by which compilers, and which classes of simulation will or will not trigger the malware's tampering.
Symantec and Carbon Black stated that this degree of domain knowledge is unusual in any era and was very unusual in 2005, and the fast16 nuclear weapons sabotage malware belongs to the same conceptual lineage as Stuxnet.
Comparison to Stuxnet
The fast16 nuclear weapons sabotage malware is often compared to Stuxnet, and both represent a new category of cyber weapon tailored not just to a vendor's product but to a specific physical process.
Stuxnet targeted Siemens programmable logic controllers to damage uranium enrichment centrifuges at Iran's nuclear plant in Natanz, and it was the first publicly known example of malware causing physical destruction.
The fast16 nuclear weapons sabotage malware predates Stuxnet by years, and it targeted simulation software rather than industrial controllers, but the intent was similar: sabotage a nuclear weapons program through digital means.
The fast16 nuclear weapons sabotage malware tampered with the simulations that nuclear weapon designers rely on to validate their implosion models, and corrupted simulations could lead to failed tests or ineffective weapons.
Propagation and Evasion
Fast16 nuclear weapon sabotage software includes methods for spreading through a network and evade detection.
The malware automatically spreads to other endpoints on the same network, ensuring that any machine used to run simulations will generate the same tampered outputs, and this prevents a researcher from getting correct results by simply switching computers.
The fast16 nuclear weapons sabotage malware is also crafted to avoid infecting computers that have certain security products installed, and this suggests the attackers knew which security tools were present in their target environments.
Is Fast16 Still Active?
Symantec stated that it is not known if a modern-day version of fast16 exists in the wild, and the malware components analyzed date from the mid-2000s.
However, the fast16 nuclear weapons sabotage malware demonstrated a capability that nation-states have likely continued to develop, and modern equivalents may exist for current simulation software.
The fast16 nuclear weapons sabotage malware showed that cyber sabotage of nuclear weapons programs was possible in 2005, and it is almost certainly possible today.
The Broader Implications
The fast16 nuclear weapons sabotage malware represents a paradigm shift in how we understand the history of cyber warfare, and it shows that strategic industrial sabotage using malware was being conducted by nation-state actors as far back as 20 years ago.
The fast16 nuclear weapons sabotage malware targeted the design phase of nuclear weapons rather than the production phase, and this is a different and potentially more cost-effective approach than Stuxnet's attack on centrifuges.
If you can corrupt the simulations that validate a nuclear weapon design, you can cause a nation to waste years and billions of dollars developing a weapon that will never work correctly.
Final Thoughts
The fast16 nuclear weapons sabotage malware is a remarkable piece of engineering, and it demonstrates that cyber sabotage of physical processes is not a new phenomenon.
The malware's density threshold of 30 grams per cubic centimeter is a smoking gun, it only activates when simulating uranium under shock compression, and there is no legitimate reason for a malware to check for this condition.
The fast16 nuclear weapons sabotage malware was designed by people who understood nuclear weapon physics, software engineering, and offensive cyber operations, and they built a tool that could corrupt the most sensitive simulations in a nuclear weapons program.
We may never know which country's nuclear program was targeted, or whether the sabotage was successful, but the fast16 nuclear weapons sabotage malware stands as a monument to the early days of cyber warfare, when the line between digital code and physical destruction first began to blur.
FAQ Section
What is Fast16?
The Fast16 virus was found in 2025 but was actually built using LUA code in 2005. It is considered a precursor to the Stuxnet virus. Initially used to destroy Nuclear Armaments, Fast16 accomplished this by modifying Uranium compression simulations conducted by the LS-DYNA and AUTODYN software applications.
How Does Fast16 Target Nuclear Weapons Simulations?
Fast16 detects the density of the material being simulated, looking for the density of at least 30 grams per cubic centimeter, which is the density that uranium will reach if it is subject to shock compression from an implosion device. This will only happen during full-scale transient blast and detonation tests.
Who Made Fast16?
Although Fast16 has no official attribution, the name "Fast16" was found in a set of tools associated with the Shadow Brokers' leaks, which can be traced to the Equation Group-which is thought to be affiliated with the NSA.
What Software Does Fast16 Target?
Fast16 targets LS-DYNA and AUTODYN simulation software, which are used for simulating explosions, crash safety, and material dynamics, including simulating nuclear weapon implosions.
Is fast16 still a threat today?
Symantec stated it is not known if a modern-day version of fast16 exists, the analyzed components date from the mid-2000s, but the technique demonstrated that cyber sabotage of nuclear weapons simulations is possible.