Back to Intelligence

Threat Intel: Detecting 'fast16' – Pre-Stuxnet Lua Malware Targeting Engineering Applications

SA
Security Arsenal Team
April 25, 2026
6 min read

SentinelOne uncovers 'fast16', a 2005-era Lua framework targeting high-precision engineering software. Defend against this ICS threat.

Introduction

The discovery of the 'fast16' malware framework by SentinelOne researchers fundamentally alters our understanding of the timeline regarding cyber-physical attacks. Dating back to 2005—years prior to the infamous Stuxnet campaign—this Lua-based malicious software was specifically designed to sabotage high-precision calculation software.

For defenders in the Operational Technology (OT), Industrial Control Systems (ICS), and critical manufacturing sectors, this discovery is a stark wake-up call. It confirms that adversaries have been actively developing sophisticated, script-based sabotage tools for nearly two decades. Unlike standard IT malware, 'fast16' focuses on the integrity of engineering calculations, potentially leading to undetected catastrophic failures in physical processes. Immediate action is required to hunt for these TTPs (Tactics, Techniques, and Procedures) in environments utilizing engineering and simulation software.

Technical Analysis

Threat Overview: 'fast16' is a malicious framework built on the Lua scripting language. Its primary objective is the manipulation of high-precision calculation software. By tampering with the underlying logic or mathematical outputs, attackers can cause machinery to operate outside safe parameters without triggering traditional alarms, essentially "ghost-sabotaging" the engineering process.

Affected Platforms & Components: While the specific vendor of the targeted high-precision calculation software is not universally disclosed in all reports, the attack vector specifically targets environments where:

  1. Lua Interpreters are present or embedded within engineering tools.
  2. High-Precision Libraries (DLLs/SOs) are used for mathematical modeling, simulation, or centrifuge control logic.
  3. Windows-based Engineering Workstations acting as bridges to OT networks (Historians, HMI design stations).

Attack Chain & Exploitation:

  1. Initial Access: Likely via supply chain compromise or physical intrusion (common in early nation-state ICS campaigns).
  2. Execution: The threat actor deploys the Lua-based payload. Because Lua is often a legitimate component of engineering software (e.g., NI LabVIEW, SCADA scripting interfaces), its execution may appear benign to standard heuristic engines.
  3. Persistence: The malware maintains persistence by injecting scripts into the startup sequence of the target engineering application or modifying configuration files to load malicious .lua modules.
  4. Objective: The scripts hook into calculation functions, introducing subtle errors that degrade machinery (e.g., centrifuges) over time or cause immediate failure based on specific logic triggers.

Exploitation Status: Currently classified as a historical discovery (Active Circa 2005), but the code samples and framework may be repurposed by modern adversaries targeting similar engineering stacks today. There is no active CVE, but the technique is a high-risk Logic Integrity attack.

Detection & Response

Given the use of Lua—a legitimate interpreter in many engineering suites—detection requires identifying anomalous usage patterns rather than simple file signatures.

Sigma Rules

YAML
---
title: Potential fast16 Activity - Lua Interpreter in Engineering Path
id: 8f4c2d11-9a3b-4c1e-8f5d-1a2b3c4d5e6f
status: experimental
description: Detects the execution of Lua interpreters from directories commonly associated with engineering or high-precision software, a TTP observed in the fast16 framework.
references:
  - https://www.sentinelone.com/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.execution
  - attack.t1059.005
logsource:
  category: process_creation
  product: windows
detection:
  selection_img:
    Image|endswith:
      - '\lua.exe'
      - '\wluac.exe'
      - '\lua53.exe'
      - '\lua51.exe'
  selection_path:
    CurrentDirectory|contains:
      - '\Engineering\'
      - '\Simulations\'
      - '\Calc\'
      - '\Program Files\Math\'
      - '\Program Files (x86)\Math\'
  condition: all of selection_*
falsepositives:
  - Legitimate use of Lua by authorized engineers for simulation tasks.
level: high
---
title: Suspicious Lua Script Loading by Engineering Software
id: 3d1e2f4a-5b6c-4d7e-8f9a-1b2c3d4e5f6a
status: experimental
description: Detects engineering applications loading Lua scripts from user-writable directories or unexpected paths, indicative of potential script hijacking or fast16-like behavior.
references:
  - https://attack.mitre.org/techniques/T1059/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.defense_evasion
  - attack.t1574.001
logsource:
  category: image_load
  product: windows
detection:
  selection:
    Image|contains:
      - 'calc'
      - 'sim'
      - 'eng'
    ImageLoaded|endswith:
      - '.lua'
      - 'lua51.dll'
      - 'lua53.dll'
  filter:
    ImageLoaded|contains:
      - '\Windows\System32\'
      - '\Program Files\'
  condition: selection and not filter
falsepositives:
  - Authorized plugin loading.
level: medium

KQL (Microsoft Sentinel / Defender)

This query hunts for processes spawning from known Lua binaries or engineering tools executing script commands.

KQL — Microsoft Sentinel / Defender
// Hunt for Lua interpreter execution in engineering contexts
DeviceProcessEvents
| where Timestamp > ago(30d)
| where FileName in~ ("lua.exe", "wluac.exe", "lua53.exe", "luac.exe")
| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, CommandLine, FolderPath
| where FolderPath has_any ("Engineering", "CAD", "Simulation", "SCADA", "ProgramData")
| extend EngineeringContext = case(
  FolderPath has "Engineering", "Engineering Dir",
  FolderPath has "Simulation", "Simulation Dir",
  FolderPath has "ProgramData", "ProgramData Persistence",
  "Other"
)
| summarize count() by DeviceName, EngineeringContext, FileName
| order by count_ desc

Velociraptor VQL

This artifact hunts for Lua script files in directories outside of standard installation paths, which could indicate a dropped payload.

VQL — Velociraptor
-- Hunt for Lua scripts in suspicious user-writeable locations
SELECT FullPath, Size, ModTime, Mode
FROM glob(globs='/**/*.lua')
WHERE NOT FullPath =~ "C:\\Program Files.*" 
  AND NOT FullPath =~ "C:\\Windows.*"
  AND NOT FullPath =~ "C:\\ProgramData.*"
  AND ModTime > now() - 30d

Remediation Script (PowerShell)

Use this script to audit engineering workstations for unauthorized Lua interpreters that could facilitate a fast16-style attack.

PowerShell
# Audit for unauthorized Lua interpreters
# Define authorized directories (whitelist)
$AuthorizedPaths = @(
    "C:\Program Files",
    "C:\Program Files (x86)"
)

# Get all lua.exe processes and their paths
$suspiciousProcesses = Get-WmiObject Win32_Process | Where-Object {
    $_.Name -like "*lua*.exe" -or $_.Name -like "*wluac*.exe"
} | Select-Object Name, ExecutablePath, ProcessId

if ($suspiciousProcesses) {
    Write-Host "[!] Found Lua processes running:" -ForegroundColor Yellow
    foreach ($proc in $suspiciousProcesses) {
        $isAuthorized = $false
        if ($proc.ExecutablePath) {
            foreach ($path in $AuthorizedPaths) {
                if ($proc.ExecutablePath.StartsWith($path, [System.StringComparison]::OrdinalIgnoreCase)) {
                    $isAuthorized = $true
                    break
                }
            }
        }
        
        if (-not $isAuthorized) {
            Write-Host "[ALERT] Unauthorized Lua Interpreter: PID $($proc.ProcessId) - Path: $($proc.ExecutablePath)" -ForegroundColor Red
        } else {
            Write-Host "[INFO] Authorized Lua Interpreter: PID $($proc.ProcessId) - Path: $($proc.ExecutablePath)" -ForegroundColor Green
        }
    }
} else {
    Write-Host "[INFO] No Lua interpreter processes currently detected." -ForegroundColor Green
}

Remediation

To defend against 'fast16' and similar logic-sabotage frameworks, organizations must move beyond signature-based detection and implement strict application controls.

  1. Application Whitelisting (Allowlisting): Implement policies via AppLocker or similar solutions to allow only signed, authorized engineering executables and specific script interpreters to run. Block the execution of lua.exe unless it is invoked directly by a verified parent application (e.g., the primary engineering software).

  2. File Integrity Monitoring (FIM): Deploy FIM on directories housing high-precision calculation software and configuration files. Monitor for the creation of new .lua, .dll, or .conf files.

  3. Network Segmentation: Ensure engineering workstations (CAD/Simulation) are strictly separated from the control network (OT/ICS). A compromised engineering laptop should not have a pathway to push logic changes to a PLC without passing through a secure DMZ or jump host.

  4. Behavioral Analytics: Configure EDR solutions to alert on "Process Doppelganging" or "Herpaderping" techniques often used to hide malicious interpreters behind legitimate filenames.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub

managed-socmdrsecurity-monitoringthreat-detectionsiemfast16lua-malwareics-scada

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action