# [CRIT] fast16 | Mystery Shadow Brokers Reference Reveals High-Precision Software Sabotage 5 Years Before Stuxnet **Source:** SentinelLabs **Published:** 2026-04-23 **Article:** https://www.sentinelone.com/labs/fast16-mystery-shadowbrokers-reference-reveals-high-precision-software-sabotage-5-years-before-stuxnet/ ## Threat Profile Advanced Persistent Threat fast16 | Mystery ShadowBrokers Reference Reveals High-Precision Software Sabotage 5 Years Before Stuxnet Vitaly Kamluk & Juan Andrés Guerrero-Saade / April 23, 2026 Executive Summary SentinelLABS has uncovered a previously undocumented cyber sabotage framework whose core components date back to 2005, tracked as fast16. fast16.sys selectively targets high-precision calculation software, patching code in memory to tamper with results. By combining this payload with … ## Indicators of Compromise (high-fidelity only) - **SHA256:** `9a10e1faa86a5d39417cae44da5adf38824dfb9a16432e34df766aa1dc9e3525` - **SHA256:** `07c69fc33271cf5a2ce03ac1fed7a3b16357aec093c5bf9ef61fbfa4348d0529` - **SHA256:** `8fcb4d3d4df61719ee3da98241393779290e0efcd88a49e363e2a2dfbc04dae9` - **SHA1:** `de584703c78a60a56028f9834086facd1401b355` - **MD5:** `dbe51eabebf9d4ef9581ef99844a2944` - **MD5:** `0ff6abe0252d4f37a196a1231fae5f26` - **MD5:** `410eddfc19de44249897986ecc8ac449` ## MITRE ATT&CK Techniques - **T1071.001** — Web Protocols - **T1071.004** — DNS - **T1021.002** — SMB/Windows Admin Shares - **T1569.002** — Service Execution - **T1059.001** — PowerShell - **T1027** — Obfuscated Files or Information - **T1543.003** — Persistence (article-specific) - **T1014** — Rootkit - **T1543.003** — Create or Modify System Process: Windows Service - **T1565.001** — Data Manipulation: Stored Data Manipulation - **T1112** — Modify Registry - **T1564** — Hide Artifacts ## Kill chain phases observed _(none detected from narrative keywords)_ ## Recommended hunts ### fast16 Sabotage Framework Hash IOC Sweep (svcmgmt.exe / fast16.sys / svcmgmt.dll) `UC_360_5` · phase: **install** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats summariesonly=true allow_old_summaries=true count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_hash IN ("9a10e1faa86a5d39417cae44da5adf38824dfb9a16432e34df766aa1dc9e3525","07c69fc33271cf5a2ce03ac1fed7a3b16357aec093c5bf9ef61fbfa4348d0529","8fcb4d3d4df61719ee3da98241393779290e0efcd88a49e363e2a2dfbc04dae9","5966513a12a5601b262c4ee4d3e32091feb05b666951d06431c30a8cece83010","09ca719e06a526f70aadf34fb66b136ed20f923776e6b33a33a9059ef674da22","8b018452fdd64c346af4d97da420681e2e0b55b8c9ce2b8de75e330993b759a0","06361562cc53d759fb5a4c2b7aac348e4d23fe59be3b2871b14678365283ca47","bd04715c5c43c862c38a4ad6c2167ad082a352881e04a35117af9bbfad8e5613") OR Processes.parent_process_hash IN ("9a10e1faa86a5d39417cae44da5adf38824dfb9a16432e34df766aa1dc9e3525","07c69fc33271cf5a2ce03ac1fed7a3b16357aec093c5bf9ef61fbfa4348d0529","8fcb4d3d4df61719ee3da98241393779290e0efcd88a49e363e2a2dfbc04dae9","5966513a12a5601b262c4ee4d3e32091feb05b666951d06431c30a8cece83010","09ca719e06a526f70aadf34fb66b136ed20f923776e6b33a33a9059ef674da22","8b018452fdd64c346af4d97da420681e2e0b55b8c9ce2b8de75e330993b759a0","06361562cc53d759fb5a4c2b7aac348e4d23fe59be3b2871b14678365283ca47","bd04715c5c43c862c38a4ad6c2167ad082a352881e04a35117af9bbfad8e5613")) by Processes.dest Processes.user Processes.process_name Processes.process_path Processes.process Processes.process_hash Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | append [ | tstats summariesonly=true allow_old_summaries=true count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where (Filesystem.file_hash IN ("9a10e1faa86a5d39417cae44da5adf38824dfb9a16432e34df766aa1dc9e3525","07c69fc33271cf5a2ce03ac1fed7a3b16357aec093c5bf9ef61fbfa4348d0529","8fcb4d3d4df61719ee3da98241393779290e0efcd88a49e363e2a2dfbc04dae9","5966513a12a5601b262c4ee4d3e32091feb05b666951d06431c30a8cece83010","09ca719e06a526f70aadf34fb66b136ed20f923776e6b33a33a9059ef674da22","8b018452fdd64c346af4d97da420681e2e0b55b8c9ce2b8de75e330993b759a0","06361562cc53d759fb5a4c2b7aac348e4d23fe59be3b2871b14678365283ca47","bd04715c5c43c862c38a4ad6c2167ad082a352881e04a35117af9bbfad8e5613")) by Filesystem.dest Filesystem.user Filesystem.file_name Filesystem.file_path Filesystem.file_hash Filesystem.process_name | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` ] ``` **Defender KQL:** ```kql let _fast16_sha256 = dynamic([ "9a10e1faa86a5d39417cae44da5adf38824dfb9a16432e34df766aa1dc9e3525", "07c69fc33271cf5a2ce03ac1fed7a3b16357aec093c5bf9ef61fbfa4348d0529", "8fcb4d3d4df61719ee3da98241393779290e0efcd88a49e363e2a2dfbc04dae9", "5966513a12a5601b262c4ee4d3e32091feb05b666951d06431c30a8cece83010", "09ca719e06a526f70aadf34fb66b136ed20f923776e6b33a33a9059ef674da22", "8b018452fdd64c346af4d97da420681e2e0b55b8c9ce2b8de75e330993b759a0", "06361562cc53d759fb5a4c2b7aac348e4d23fe59be3b2871b14678365283ca47", "bd04715c5c43c862c38a4ad6c2167ad082a352881e04a35117af9bbfad8e5613"]); let _fast16_sha1 = dynamic([ "de584703c78a60a56028f9834086facd1401b355", "2fa28ef1c6744bdc2021abd4048eefc777dccf22", "586edef41c3b3fba87bf0f0346c7e402f86fc11e", "3ce5b358c2ddd116ac9582efbb38354809999cb5", "650fc6b3e4f62ecdc1ec5728f36bb46ba0f74d05", "d475ace24b9aedebf431efc68f9db32d5ae761bd", "1ce1111702b765f5c4d09315ff1f0d914f7e5c70", "ca665b59bc590292f94c23e04fa458f90d7b20c9"]); let _fast16_md5 = dynamic([ "dbe51eabebf9d4ef9581ef99844a2944", "0ff6abe0252d4f37a196a1231fae5f26", "410eddfc19de44249897986ecc8ac449", "1d2f32c57ae2f2013f513d342925e972", "af4461a149bfd2ba566f2abefe7dcde4", "49a8934ccd34e2aaae6ea1e6a6313ffe", "e0c10106626711f287ff91c0d6314407", "2717b58246237b35d44ef2e49712d3a2"]); union isfuzzy=true ( DeviceProcessEvents | where Timestamp > ago(30d) | where SHA256 in (_fast16_sha256) or SHA1 in (_fast16_sha1) or MD5 in (_fast16_md5) or InitiatingProcessSHA256 in (_fast16_sha256) or InitiatingProcessSHA1 in (_fast16_sha1) or InitiatingProcessMD5 in (_fast16_md5) | project Timestamp, DeviceName, AccountName, EventSource="Process", FileName, FolderPath, SHA256, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessSHA256 ), ( DeviceFileEvents | where Timestamp > ago(30d) | where SHA256 in (_fast16_sha256) or SHA1 in (_fast16_sha1) or MD5 in (_fast16_md5) | project Timestamp, DeviceName, AccountName=InitiatingProcessAccountName, EventSource="FileWrite", FileName, FolderPath, SHA256, ProcessCommandLine=InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessSHA256 ), ( DeviceImageLoadEvents | where Timestamp > ago(30d) | where SHA256 in (_fast16_sha256) or SHA1 in (_fast16_sha1) or MD5 in (_fast16_md5) | project Timestamp, DeviceName, AccountName=InitiatingProcessAccountName, EventSource="ImageLoad", FileName, FolderPath, SHA256, ProcessCommandLine=InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessSHA256 ) | order by Timestamp desc ``` ### fast16 Carrier Runtime Artefacts (SvcMgmt service / pipe p577 / \Device\fast16) `UC_360_6` · phase: **install** · confidence: **Medium** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats summariesonly=true allow_old_summaries=true count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where (Filesystem.file_name IN ("svcmgmt.exe","svcmgmt.dll","fast16.sys") OR Filesystem.file_path="*\\Device\\fast16*" OR Filesystem.file_path="*\\pipe\\p577*") by Filesystem.dest Filesystem.user Filesystem.file_name Filesystem.file_path Filesystem.file_hash Filesystem.process_name | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | append [ | tstats summariesonly=true allow_old_summaries=true count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where (Registry.registry_path="*\\Services\\SvcMgmt*" OR (Registry.registry_path="*\\Session Manager\\Memory Management\\PrefetchParameters*" AND Registry.registry_value_name="EnablePrefetcher" AND Registry.registry_value_data="0")) by Registry.dest Registry.user Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_name | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` ] | append [ | tstats summariesonly=true allow_old_summaries=true count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Services where (Services.service_name="SvcMgmt" OR Services.service_path="*svcmgmt.exe*" OR Services.service_path="*fast16.sys*") by Services.dest Services.user Services.service_name Services.service_path Services.start_mode | `drop_dm_object_name(Services)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` ] ``` **Defender KQL:** ```kql let _fast16_files = dynamic(["svcmgmt.exe","svcmgmt.dll","fast16.sys"]); union isfuzzy=true ( DeviceFileEvents | where Timestamp > ago(30d) | where ActionType in ("FileCreated","FileModified","FileRenamed") | where FileName in~ (_fast16_files) or FolderPath has @"\Device\fast16" | project Timestamp, DeviceName, EventSource=strcat("File:", ActionType), Detail=strcat(FolderPath, "\\", FileName), SHA256, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName ), ( DeviceEvents | where Timestamp > ago(30d) | where ActionType == "NamedPipeEvent" | where FileName has "p577" or AdditionalFields has "p577" or AdditionalFields has @"\\.\pipe\p577" | project Timestamp, DeviceName, EventSource="NamedPipe", Detail=tostring(coalesce(FileName, AdditionalFields)), SHA256=InitiatingProcessSHA256, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName ), ( DeviceEvents | where Timestamp > ago(30d) | where ActionType in ("DriverLoad","ServiceInstalled") | where FileName in~ (_fast16_files) or FolderPath has @"fast16" or RegistryValueName has "SvcMgmt" or RegistryValueData has "svcmgmt.exe" or RegistryValueData has "fast16.sys" | project Timestamp, DeviceName, EventSource=ActionType, Detail=strcat(coalesce(FolderPath,""), "\\", coalesce(FileName,""), " reg=", coalesce(RegistryValueData,"")), SHA256, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName ), ( DeviceRegistryEvents | where Timestamp > ago(30d) | where ActionType in ("RegistryValueSet","RegistryKeyCreated") | where (RegistryKey has @"\Services\SvcMgmt") or (RegistryKey has @"\Session Manager\Memory Management\PrefetchParameters" and RegistryValueName =~ "EnablePrefetcher" and RegistryValueData == "0") or (RegistryValueData has "svcmgmt.exe" or RegistryValueData has "fast16.sys") | project Timestamp, DeviceName, EventSource=strcat("Registry:", ActionType), Detail=strcat(RegistryKey, " ", RegistryValueName, "=", RegistryValueData), SHA256=InitiatingProcessSHA256, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName=InitiatingProcessAccountName ) | summarize HitCount=count(), FirstSeen=min(Timestamp), LastSeen=max(Timestamp), Sources=make_set(EventSource), Details=make_set(Detail, 20) by DeviceName, InitiatingProcessFileName, InitiatingProcessAccountName | where HitCount >= 1 | order by LastSeen desc ``` ### Beaconing — periodic outbound to small set of destinations `UC_BEACONING` · phase: **c2** · confidence: **Medium** **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count, values(All_Traffic.dest_port) AS ports from datamodel=Network_Traffic.All_Traffic where All_Traffic.action="allowed" AND All_Traffic.dest_category!="internal" by _time span=10s, All_Traffic.src, All_Traffic.dest | `drop_dm_object_name(All_Traffic)` | streamstats current=f last(_time) AS prev_time by src, dest | eval delta = _time - prev_time | stats avg(delta) AS avg_delta stdev(delta) AS sd_delta count by src, dest | where count > 30 AND sd_delta < 5 AND avg_delta>=30 AND avg_delta<=600 | sort - count ``` **Defender KQL:** ```kql DeviceNetworkEvents | where Timestamp > ago(1d) | where RemoteIPType == "Public" and ActionType == "ConnectionSuccess" | project DeviceName, RemoteIP, RemotePort, Timestamp | sort by DeviceName asc, RemoteIP asc, RemotePort asc, Timestamp asc | extend prev_dev = prev(DeviceName, 1), prev_ip = prev(RemoteIP, 1), prev_port = prev(RemotePort, 1), prev_ts = prev(Timestamp, 1) | where DeviceName == prev_dev and RemoteIP == prev_ip and RemotePort == prev_port | extend delta_sec = datetime_diff('second', Timestamp, prev_ts) | summarize conn_count = count(), avg_delta = avg(delta_sec), stdev_delta = stdev(delta_sec) by DeviceName, RemoteIP, RemotePort | where conn_count > 30 and avg_delta between (30.0 .. 600.0) and stdev_delta < 5.0 | order by conn_count desc ``` ### Remote service execution — PsExec / SMB lateral movement `UC_LATERAL_PSEXEC` · phase: **actions** · confidence: **High** **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ("psexec.exe","psexesvc.exe","paexec.exe","smbexec.py") OR (Processes.process_name="wmic.exe" AND Processes.process="*/node:*") by Processes.dest, Processes.user, Processes.process_name, Processes.process, Processes.parent_process_name | `drop_dm_object_name(Processes)` ``` **Defender KQL:** ```kql DeviceProcessEvents | where Timestamp > ago(7d) | where AccountName !endswith "$" | where FileName in~ ("psexec.exe","psexesvc.exe","paexec.exe","smbexec.py") or (FileName =~ "wmic.exe" and ProcessCommandLine has "/node:") | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName | order by Timestamp desc ``` ### PowerShell encoded / obfuscated command `UC_PS_OBFUSCATED` · phase: **exploit** · confidence: **High** **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ("powershell.exe","pwsh.exe") AND (Processes.process="*-enc *" OR Processes.process="*EncodedCommand*" OR Processes.process="*FromBase64String*" OR Processes.process="*-nop*" OR Processes.process="*-w hidden*" OR Processes.process="*Invoke-Expression*" OR Processes.process="*IEX(*" OR Processes.process="*DownloadString*" OR Processes.process="*Net.WebClient*") by Processes.dest, Processes.user, Processes.process_name, Processes.process, Processes.parent_process_name | `drop_dm_object_name(Processes)` ``` **Defender KQL:** ```kql DeviceProcessEvents | where Timestamp > ago(7d) | where AccountName !endswith "$" | where FileName in~ ("powershell.exe","pwsh.exe") | where ProcessCommandLine matches regex @"(?i)(-enc|encodedcommand|frombase64string|-nop|-w\s+hidden|invoke-expression|iex\s*\(|downloadstring|net\.webclient)" | project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine ``` ### Article-specific behavioural hunt — fast16 | Mystery Shadow Brokers Reference Reveals High-Precision Software Sabota `UC_360_4` · phase: **exploit** · confidence: **High** **Splunk SPL (CIM):** ```spl ``` Article-specific bespoke detection — fast16 | Mystery Shadow Brokers Reference Reveals High-Precision Software Sabota ``` | tstats `summariesonly` count earliest(_time) AS firstTime latest(_time) AS lastTime from datamodel=Endpoint.Processes where (Processes.process_name IN ("fast16.sys","svcmgmt.exe","svcmgmt.dll","ntoskrnl.exe","connotify.dll") OR Processes.process_path="*C:\buildy\driver\fd\i386\fast16.pdb*" OR Processes.process_path="*\Windows\CurrentVersion\Uninstall\Look*") by Processes.dest, Processes.user, Processes.process_name, Processes.process, Processes.parent_process_name, Processes.process_path | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | append [ | tstats `summariesonly` count from datamodel=Endpoint.Filesystem where Filesystem.action IN ("created","modified") AND (Filesystem.file_path="*C:\buildy\driver\fd\i386\fast16.pdb*" OR Filesystem.file_path="*\Windows\CurrentVersion\Uninstall\Look*" OR Filesystem.file_name IN ("fast16.sys","svcmgmt.exe","svcmgmt.dll","ntoskrnl.exe","connotify.dll")) by Filesystem.dest, Filesystem.user, Filesystem.process_name, Filesystem.file_path, Filesystem.file_name | `drop_dm_object_name(Filesystem)` ] | append [ | tstats `summariesonly` count from datamodel=Endpoint.Registry where Registry.action IN ("created","modified") AND (Registry.registry_path="*HKLM\\SOFTWARE\\Symantec\\InstalledApps*" OR Registry.registry_path="*HKLM\\SOFTWARE\\Sygate*" OR Registry.registry_path="*HKLM\\SOFTWARE\\TrendMicro\\PFW*" OR Registry.registry_path="*HKLM\\SOFTWARE\\Zone*" OR Registry.registry_path="*HKLM\\SOFTWARE\\F-Secure*" OR Registry.registry_path="*HKLM\\SOFTWARE\\Network*") by Registry.dest, Registry.process_name, Registry.registry_path, Registry.registry_value_name, Registry.registry_value_data | `drop_dm_object_name(Registry)` ] ``` **Defender KQL:** ```kql // Article-specific bespoke detection — fast16 | Mystery Shadow Brokers Reference Reveals High-Precision Software Sabota // Hunts the actual binaries / paths / commandline fragments named // in the article instead of a generic technique-class template. DeviceProcessEvents | where Timestamp > ago(30d) | where (FileName in~ ("fast16.sys", "svcmgmt.exe", "svcmgmt.dll", "ntoskrnl.exe", "connotify.dll") or FolderPath has_any ("C:\buildy\driver\fd\i386\fast16.pdb", "\Windows\CurrentVersion\Uninstall\Look")) | project Timestamp, DeviceName, AccountName, FileName, FolderPath, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine | order by Timestamp desc // File-creation events for the named binaries / paths DeviceFileEvents | where Timestamp > ago(30d) | where ActionType in ("FileCreated","FileModified") | where (FolderPath has_any ("C:\buildy\driver\fd\i386\fast16.pdb", "\Windows\CurrentVersion\Uninstall\Look") or FileName in~ ("fast16.sys", "svcmgmt.exe", "svcmgmt.dll", "ntoskrnl.exe", "connotify.dll")) | project Timestamp, DeviceName, AccountName, FolderPath, FileName, ActionType, InitiatingProcessFileName, InitiatingProcessCommandLine | order by Timestamp desc // Registry persistence locations named in the article DeviceRegistryEvents | where Timestamp > ago(30d) | where ActionType in ("RegistryValueSet","RegistryKeyCreated") | where RegistryKey has_any ("HKLM\SOFTWARE\Symantec\InstalledApps", "HKLM\SOFTWARE\Sygate", "HKLM\SOFTWARE\TrendMicro\PFW", "HKLM\SOFTWARE\Zone", "HKLM\SOFTWARE\F-Secure", "HKLM\SOFTWARE\Network") | project Timestamp, DeviceName, AccountName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName, InitiatingProcessCommandLine | order by Timestamp desc ``` ### IOC-driven hunts (use shared templates) These are standard IOC-substitution hunts — the canonical SPL and KQL live once in [`_TEMPLATES.md`](../_TEMPLATES.md), so we don't repeat the same boilerplate on every CVE / hash / network-IOC briefing. - **File hash IOCs — endpoint file/process match** ([template](../_TEMPLATES.md#hash-ioc)) — phase: **install**, confidence: **High** - file hash IOC(s): `9a10e1faa86a5d39417cae44da5adf38824dfb9a16432e34df766aa1dc9e3525`, `07c69fc33271cf5a2ce03ac1fed7a3b16357aec093c5bf9ef61fbfa4348d0529`, `8fcb4d3d4df61719ee3da98241393779290e0efcd88a49e363e2a2dfbc04dae9`, `de584703c78a60a56028f9834086facd1401b355`, `dbe51eabebf9d4ef9581ef99844a2944`, `0ff6abe0252d4f37a196a1231fae5f26`, `410eddfc19de44249897986ecc8ac449` ## Why this matters Severity classified as **CRIT** based on: IOCs present, 7 use case(s) fired, 12 technique(s) inferred. Read the full article for actor attribution, tooling details, and any defanged IOCs in the body that aren't visible in the RSS summary.