Researchers find 20-year-old malware that secretly faked engineering math results

Researchers at SentinelOne found malware from 2005 that did something nobody had documented before: it quietly made engineering simulation programs give wrong answers. Instead of stealing data or crashing systems, it tampered with the math behind tools like LS-DYNA (used to design things like car crash safety and weapons), so the results looked normal but were subtly off. The malware, called fast16, is older than Stuxnet - the famous attack on Iran's nuclear program - by five years. Its name appears in leaked NSA files, suggesting the US built it. Discovered via an old file uploaded to VirusTotal in 2016.

Check

If your environment includes engineering or scientific simulation software (LS-DYNA, PKPM, MOHID, ANSYS), treat the SentinelOne IoCs as a hunt opportunity even on legacy hardware.

Affected

Organizations using high-precision engineering simulation tools - LS-DYNA, PKPM structural analysis, MOHID hydrodynamics - in defense, civil engineering, energy, automotive, or research contexts. The fast16 driver only runs on pre-Windows 7 single-core hardware, so the active risk is forensic. The calculation-corruption pattern is the threat model worth understanding.

Fix

Pull SentinelOne's published YARA rules and IoCs and run them against archived disk images, retired engineering workstations, and air-gapped pre-2010 systems. The broader operational lesson: treat simulation outputs as a high-value target. Audit who can modify simulation binaries, sign and verify simulation results, and add integrity checks to long-running calculation pipelines.