Back to Intelligence

Beyond Stuxnet: Detecting 'Fast16' Sabotage Malware and Legacy ICS Threats

SA
Security Arsenal Team
April 28, 2026
6 min read

The discovery of "Fast16," a sophisticated sabotage tool designed to target industrial control systems (ICS) prior to the infamous Stuxnet attack, serves as a stark reminder that the threats facing Operational Technology (OT) environments are neither new nor strictly modern. This revelation indicates that nation-state actors have been actively developing and deploying cyber-physical weapons for over a decade.

For defenders, this means the threat landscape is deeper than assumed. Legacy systems—often Windows XP or Windows 7 boxes running Step7 or other SCADA software—remain fertile ground for these older, yet highly effective, strains of malware. Fast16 specifically highlights the risk of file-system manipulation and kernel-level drivers used to sabotage industrial processes without immediate detection. Defenders must assume that if a target was valuable enough for Fast16 in the past, similar persistence mechanisms may already exist in their environments today.

Technical Analysis

Affected Products and Platforms

While the specific technical indicators of Fast16 are still being analyzed by the broader community, the context places it firmly in the lineage of early ICS-targeting malware. The affected platforms include:

  • Operating Systems: Legacy Windows versions (Windows 2000, XP, 7) commonly air-gapped in OT environments.
  • ICS Software: Engineering workstations running Siemens SIMATIC Step7 or similar HMIs/SCADA controllers.
  • Architecture: x86 industrial controllers and PLCs.

Vulnerability and Attack Mechanics

Fast16 is characterized as "sabotage" malware, implying its primary goal is the disruption of physical processes rather than espionage. Based on its temporal proximity to Stuxnet, the attack chain likely involves:

  1. Initial Access: Via infected USB drives (a primary vector for air-gapped networks) or supply-chain compromise of software vendors.
  2. Privilege Escalation: Exploiting zero-day vulnerabilities (similar to CVE-2010-2568 used by Stuxnet) to gain SYSTEM-level access.
  3. Persistence (The Core Threat): Installation of a malicious kernel-mode driver (.sys file). This driver is used to hook into the file system, allowing the malware to hide its presence and inject malicious code into the ICS project files without tripping standard integrity checks.
  4. Sabotage Logic: Modification of PLC code blocks (OBs, FBs) to alter the behavior of centrifuges or other machinery, leading to physical damage.

Exploitation Status

  • Status: Historical / Attributed (Active exploitation believed to have occurred mid-2000s to early 2010s).
  • Availability: Technical details are emerging. Defenders should treat this as an active threat for any facility maintaining legacy infrastructure.

Detection & Response

Detecting sabotage malware like Fast16 requires visibility into the kernel layer and strict monitoring of ICS project directories. Standard AV often fails here because the malware uses legitimate rootkit techniques to cloak itself. The following rules focus on the hallmark behaviors: loading of unsigned kernel drivers (a high-risk indicator in ICS) and anomalous access to critical ICS project files.

Sigma Rules

YAML
---
title: Potential Fast16-Style Sabotage Kernel Driver Load
id: a1b2c3d4-5e6f-7a8b-9c0d-1e2f3a4b5c6d
status: experimental
description: Detects the loading of unsigned or suspicious kernel drivers, a common TTP for ICS sabotage malware like Fast16 and Stuxnet to hide processes and manipulate file systems.
references:
  - https://attack.mitre.org/techniques/T1014/
author: Security Arsenal
date: 2025/04/08
tags:
  - attack.privilege_escalation
  - attack.t1014
logsource:
  category: driver_load
  product: windows
detection:
  selection:
    Signed: 'false'
    ImageLoaded|endswith:
      - '.sys'
  filter_legit:
    # Filter common hypervisor drivers often found in ICS labs
    ImageLoaded|contains:
      - '\vmware\'
      - '\virtualbox\'
      - '\virtio\'
  condition: selection and not filter_legit
falsepositives:
  - Legacy hardware drivers that are unsigned but authorized
level: high
---
title: ICS Project File Modification via System Process
id: b2c3d4e5-6f7a-8b9c-0d1e-2f3a4b5c6d7e
status: experimental
description: Detects modification of ICS project files (e.g., Step7 .s7p, .awl) by system processes or unusual parent processes, indicative of code injection or sabotage.
references:
  - https://attack.mitre.org/techniques/T1566/001/
author: Security Arsenal
date: 2025/04/08
tags:
  - attack.initial_access
  - attack.t1566.001
logsource:
  category: file_change
  product: windows
detection:
  selection_target:
    TargetFilename|contains:
      - '.s7p'
      - '.awl'
      - '.hap'
      - '.pd_'
  selection_process:
    Image|endswith:
      - '\lsass.exe'
      - '\svchost.exe'
      - '\explorer.exe'
  condition: all of selection_*
falsepositives:
  - Legitimate software updates or project backups
level: critical

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender
// Hunt for unsigned drivers loaded in memory
DeviceImageLoadEvents
| where FileName endswith ".sys"
| where isnull(Signer) or Signer != "Microsoft Windows Verification Publisher"
| where InitiatingProcessFileName != "vmwareuser.exe" // Exclude common hypervisor noise
| project Timestamp, DeviceName, FileName, FolderPath, Signer, SHA256, InitiatingProcessFileName, InitiatingProcessAccountName
| order by Timestamp desc


// Monitor for modifications to ICS project directories
DeviceFileEvents
| where ActionType in ("FileCreated", "FileModified", "FileRenamed")
| where FolderPath contains "Siemens" or FolderPath contains "Step7" or FileName has_any(@".s7p", @".awl", @".pnl")
| project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessFileName, InitiatingProcessAccountName, ActionType
| order by Timestamp desc

Velociraptor VQL

VQL — Velociraptor
-- Hunt for unsigned drivers loaded in the kernel
SELECT Name, DeviceName, Company, SignedStatus
FROM drivers()
WHERE SignedStatus != "Signed" OR SignedStatus = "Unsigned"
-- Exclude common hypervisor drivers to reduce noise in virtual environments
AND Name NOT =~ "vmci"
AND Name NOT =~ "vmx_svga"
AND Name NOT =~ "VBoxMouse"

Remediation Script (PowerShell)

PowerShell
<#
    .SYNOPSIS
    Audit ICS Workstation for Unsigned Drivers and Suspicious Kernel Modules.
    .DESCRIPTION
    This script identifies unsigned drivers loaded in the kernel, which is a primary
    vector for Fast16-style sabotage malware. It requires Administrator privileges.
#>

# Check for Administrator privileges
if (-not ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) {
    Write-Warning "You must run this script as an Administrator."
    exit
}

Write-Host "[+] Enumerating loaded kernel drivers..." -ForegroundColor Cyan

$suspiciousDrivers = Get-WmiObject Win32_SystemDriver | Where-Object { 
    $_.State -eq "Running" -and 
    $_.StartMode -eq "Auto" -and
    ($_.DisplayName -notmatch "Microsoft|Windows|Intel|NVIDIA|AMD|Realtek")
}

if ($suspiciousDrivers) {
    Write-Host "[!] ALERT: Found potentially suspicious running drivers:" -ForegroundColor Red
    $suspiciousDrivers | Format-Table Name, DisplayName, PathName, StartMode -AutoSize
    
    # Optional: Dump driver hashes for analysis
    $suspiciousDrivers | ForEach-Object {
        if (Test-Path $_.PathName) {
            Write-Host "[+] Hashing driver: $($_.PathName)"
            Get-FileHash -Path $_.PathName -Algorithm SHA256 | Format-List
        }
    }
} else {
    Write-Host "[-] No obviously suspicious drivers found based on name filters." -ForegroundColor Green
}

Write-Host "[+] Checking for Stuxnet/Fast16 associated registry keys (e.g., MRXCLS, MRXNET)..." -ForegroundColor Cyan
$regPaths = @(
    "HKLM\SYSTEM\CurrentControlSet\Services\MRXCLS",
    "HKLM\SYSTEM\CurrentControlSet\Services\MRXNET",
    "HKLM\SYSTEM\CurrentControlSet\Services\GPDClass"
)

foreach ($path in $regPaths) {
    if (Test-Path $path) {
        Write-Host "[!!!] CRITICAL: Suspicious service key found at $path" -ForegroundColor Red
    } else {
        Write-Host "[-] No malicious key found at $path" -ForegroundColor Gray
    }
}

Remediation

  1. Isolate Affected Systems: Immediately disconnect any engineering workstations or HMIs suspected of infection from the ICS network.
  2. Driver Verification: Conduct a comprehensive audit of all kernel-mode drivers (.sys files) on SCADA servers. Utilize tools like Sigcheck or the PowerShell script above to verify signatures. Block any unsigned driver not explicitly whitelisted by the ICS vendor.
  3. Clean Rebuild: For legacy Windows systems, the only guaranteed method of removing sophisticated kernel-level rootkits is a wipe and reload of the operating system and ICS software from trusted, offline media.
  4. Restrict USB Usage: Enforce strict technical controls to disable unauthorized USB storage devices on all air-gapped OT systems. Software restriction policies (SRP) or AppLocker should be configured to prevent executables from running from the Recycle Bin or temporary folders.
  5. Network Segmentation: Ensure a true "Purdue Model" architecture. The ICS zone should not have unrestricted routing to the corporate IT zone, and DMZs should be strictly firewalled.

Related Resources

Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub

incident-responseransomwarebreach-responseforensicsdfirics-scadafast16malware-analysis

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action