LABScon25 keynote: JAGS says cybersecurity is past the experimental era, as complexity outgrows human-only management. He sees large language models enabling scalable, standardized, sustainable defense. #LABScon #OpenAI #SentinelLABS ift.tt/eFpsQD1

LABScon25 Replay | Keynote: Steps to an Ecology of Cyber ift.tt/8XKiqc1 In this final video in our LABScon Replay series from LABScon 25, we present the keynote from SentinelLABS’ own Juan Andrés Guerrero-Saade (JAGS), VP, Intelligence & Security Research and Senior T…

Ransomware negotiator tied to $56M in attacks was sentenced, DPRK-linked fraudulent IT worker schemes were disrupted, novel PCPJack attacks cloud infrastructure to steal credentials, and a Palo Alto firewall zero-day is under active exploitation. This is the Good, Bad & Ugly. ⬇️ ✅ GOOD - Global ransomware negotiator tied to $56M in cyberattacks sentenced to 8.5 years - Two U.S. nationals sentenced for facilitating fraudulent DPRK-linked remote IT worker schemes - Authorities continue targeting the financial and operational ecosystems enabling cybercrime ⚠️ BAD - SentinelLABS identifies “PCPJack”, a new credential theft network attacking cloud infrastructure to harvest credentials and secrets - PCPJack targets exposed services like Docker, Kubernetes, Redis, MongoDB, and RayML - A defining lack of cryptominers in the attack points to monetization through fraud, spam, extortion, or resale of stolen access 🤢 UGLY - Palo Alto Networks warns its customers of actively exploited PAN-OS firewall zero-day - Internet-facing security infrastructure remains a high-priority target for attackers - Organizations wait for incoming patch as exploitation continues in the wild Full breakdown → s1.ai/GBU9-Wk19

🔴 گزارش تازه SentinelLABS درباره بدافزار «fast16» فقط یک کشف تاریخی در امنیت سایبری نیست؛ بلکه تصویری نگران‌کننده از مرحله‌ای بسیار قدیمی‌تر و پنهان‌تر در جنگ سایبری ارائه می‌دهد. این چارچوب خرابکاری به سال ۲۰۰۵ بازمی‌گردد؛ یعنی دست‌کم پنج سال پیش از افشای عمومی استاکس‌نت. 🔸 برخلاف بسیاری از بدافزارهای آن دوره که برای سرقت داده یا تخریب مستقیم طراحی شده بودند، fast16 هدف متفاوتی داشت: دستکاری پنهان محاسبات نرم‌افزارهای مهندسی و شبیه‌سازی. این بدافزار می‌توانست بدون آنکه فایل اصلی تغییر محسوسی کند، کد را در حافظه دستکاری کرده و خروجی نرم‌افزارهای تخصصی را به‌صورت نامحسوس تغییر دهد. یعنی کاربر ممکن بود نتیجه را کاملاً عادی تصور کند، در حالی که محاسبات به‌صورت هدفمند منحرف شده بودند. 🔸 اهمیت این موضوع فقط فنی نیست. در نرم‌افزارهای شبیه‌سازی مهندسی، حتی تغییرات بسیار کوچک در محاسبه فشار، اصطکاک یا انفجار می‌تواند کل نتیجه پروژه را تغییر دهد. گزارش اشاره می‌کند که fast16 احتمالاً نرم‌افزارهایی مانند LS-DYNA را هدف گرفته؛ ابزاری که در مدل‌سازی انفجار، رفتار سازه‌ها و حتی برخی پروژه‌های حساس نظامی و هسته‌ای استفاده می‌شود. 🔸 یکی از خطرناک‌ترین ویژگی‌های fast16، روش انتشار و پنهان‌کاری آن بود. این بدافزار محیط را بررسی می‌کرد، نبود نرم‌افزارهای امنیتی را می‌سنجید و فقط در شرایط مناسب فعال می‌شد. همچنین همه برنامه‌ها را هدف قرار نمی‌داد، بلکه به‌طور انتخابی سراغ فایل‌هایی می‌رفت که با کامپایلرهای خاص مهندسی ساخته شده بودند؛ نشانه‌ای از اینکه مهاجمان شناخت دقیقی از زنجیره نرم‌افزاری هدف داشتند. 🔸 شاید مهم‌ترین پیام این گزارش این باشد که جنگ سایبری فقط درباره خاموش کردن سیستم‌ها یا سرقت اطلاعات نیست. fast16 نشان می‌دهد که حمله می‌تواند به «اعتماد» انجام شود؛ اعتماد به محاسبات علمی، نتایج پژوهش و ابزارهای مهندسی. اگر خروجی نرم‌افزارها به‌صورت نامحسوس تغییر کنند، حتی فرایند علمی و تصمیم‌گیری فنی هم می‌تواند آلوده شود. مقاله کامل در وبسایت رازنت: raaznet.com/fa/blog/fast16-p…

SentinelLabs described PCPJack as a credential-stealing cloud worm that evicts TeamPCP, spreads laterally via exposed services, exfiltrates secrets to Telegram, and uses modular Python tooling for credential harvesting and cloud propagation. sentinelone.com/labs/cloud-w…

🚨 Our Friday radio show has been pushed to your collective earholes and eyeballs. Three Buddy Problem – Episode 96: We're joined by WIRED writer Andy Greenberg to dig into SentinelLabs' bombshell FAST16 research, a newly deciphered piece of sabotage malware that predates Stuxnet by five years and quietly tampered with physics modeling software likely tied to Iran's nuclear program. @a_greenberg @craiu @juanandres_gs @LabsSentinel @wearetlpblack We discuss the attribution rabbit hole (NSA? Israel? someone else?), the eerie "spiritual warfare" implications of corrupting scientific calculations, and Antiy Labs' very dialectical Chinese rebuttal. Plus, what AI reverse-engineering means for the next decade of cyber paleontology. The show is available everywhere! - YouTube youtu.be/jIr6QdgUodU - Spotify open.spotify.com/episode/4zD… Apple Podcasts podcasts.apple.com/us/podcas… Transcript docs.google.com/document/d/1…

@labscon_io 2026 Call for Papers is open. Sept 16–19, Scottsdale. Invite-only. Fifth year. Hosted by @LabsSentinel. A program committee with reviewers from Google, Netflix, Dartmouth, Johns Hopkins, and SentinelLABS. Malware, exploits, APTs, cybercrime — any platform. Original work only. No vendor theater. Bring the paper. Deadline June 19. labscon.io/

‼️fast16: The Cyberweapon Hidden for 21 Years SentinelLabs uncovered fast16, a previously undocumented cyber sabotage framework dating back to 2005, at least five years before Stuxnet. Unlike typical malware, fast16 was not built to steal data or visibly destroy systems. Its purpose was to silently corrupt high-precision engineering and scientific calculations, making software produce believable but deliberately wrong results. The malware used a carrier called svcmgmt.exe, which embedded a Lua 5.0 virtual machine and could run as a Windows service, execute encrypted payloads, or spread across Windows 2000/XP networks using weak or default admin credentials. Its main sabotage component, fast16.sys, was a boot-level kernel driver that intercepted executable files compiled with the Intel C/C compiler and used 101 patching rules to alter floating-point calculations in memory while leaving files on disk unchanged. SentinelLabs linked the patching logic to possible targets including LS-DYNA 970, PKPM, and MOHID, software used for explosions, structural engineering, seismic analysis, hydrodynamics, and other sensitive simulations. This could have impacted nuclear research, engineering design, or strategic infrastructure projects. A reference to fast16 also appeared in the ShadowBrokers 2017 leak of alleged NSA Equation Group materials, suggesting a possible state-backed or Equation Group/NSA connection, though attribution remains unconfirmed. The malware stayed nearly invisible for years: svcmgmt.exe was uploaded to VirusTotal in 2016 and was detected by only 1 out of roughly 70 antivirus engines. Source: sentinelone.com/labs/fast16-…

SentinelLABS uncovers fast16, a previously undocumented sabotage framework that pre-dates Stuxnet by at least five years. The core (fast16.sys) payload targets high-precision calculation software. sentinelone.com/labs/fast16-…

Pre-2010 sabotage frameworks rewriting the timeline on industrial OT attacks is the kind of research that should land in every security exec's inbox. Would love to host SentinelLabs on What's Up with Tech / techimpact.tv.

Authorities secure guilty pleas from a crypto hacker and a ransomware negotiator, international cyber agencies warn of large-scale botnet abuse by China-linked actors, and a 2005-era sabotage framework reshapes how we think about cyber-physical attacks today. This is the Good, Bad & Ugly. ⬇️ ✅ GOOD - U.K. national and leader of UNC3944 pleads guilty to hacking companies and stealing $8M in cryptocurrency - Florida-based ransomware negotiator pleads guilty to helping deploy BlackCatransomware attacks - Both cases highlight how ransomware ecosystems extend beyond attackers to brokers and facilitators, too ⚠️ BAD - International agencies warn of China-linked actors using botnets of compromised, internet-connected devices - Operations leverage scale and distributed infrastructure to evade detection - Consumer IoT is increasingly being weaponized for stealthy, persistent campaigns 🤢 UGLY - SentinelLABS uncovers fast16, a cyber sabotage framework dating back to 2005 - Targets high-precision computing by silently altering calculation results across facilities - Predates Stuxnet and signals early nation-state interest in scientific and industrial sabotage Full breakdown → s1.ai/GBU9-Wk17

SentinelLABS reveals fast16, a 2005 framework that predates Stuxnet. It sabotages high-precision calculations in nuclear research by patching math in memory. #fast16 #CyberSecurity #Stuxnet #APT #InfoSec #CyberSabotage #MalwareHistory securityonline.info/fast16-m…

Read the full SentinelLABS report by @vkamluk and @juanandres_gs: s1.ai/fast16

SentinelLabs | fast16 | Mystery ShadowBrokers Reference Reveals High-Precision Software Sabotage 5 Years Before Stuxnet sentinelone.com/labs/fast16-…

In case you missed it: What happens when the FortiGate next-generation firewall protecting your network becomes the backdoor? 🚪 Throughout early 2026, our DFIR team has been tracking a wave of FortiGate NGFW compromises. We have observed attackers exploiting vulnerabilities to extract config files, steal service account credentials, and move laterally. The worst part? Most organizations lack the log retention to see how it happened. In a report from earlier this month, SentinelLABS and SentinelOne DFIR researchers break down the attacker playbook. Could this get worse? Yes. LLMs are acting as a cheat code, boosting lower-skilled threat actors to conduct these exact types of attacks. Because AI models are trained on these NGFW appliances, they give attackers a step-by-step guide on how to gain access and move deeper into your network. Expect attack volumes on exposed edge devices to keep rising. Because you typically cannot install EDR on edge devices like FortiGate, your defense strategy has to shift. You need to stream your logs to a SIEM. Get the full threat breakdown and defense playbook from SentinelLABS researcher Alex Delamotte and DFIR members Stephen Bromfield, Mary Braden Murphy, and Amey Patne: s1.ai/frtgate26

SentinelLabs | LABScon25 Replay | Your Apps May Be Gone, But the Hackers Made $9 Billion and They’re Still Here sentinelone.com/labs/labscon…

Over the past 5 months, SentinelLABS has embraced a remit of experimenting with frontier model capabilities towards meaningful security applications. We’ve been reporting on our findings openly as we complete them. We hope it’ll help others looking for ways to meaningfully impact cybersecurity.

As part of our SentinelLABS innovation initiative, we’re exploring how AI can transform narrative threat reports into structured, machine-readable knowledge graphs. The goal? Turning messy text into linked data that security teams can actually use at scale.

SentinelLabs | From Narrative to Knowledge Graph | LLM-Driven Information Extraction in Cyber Threat Intelligence sentinelone.com/labs/from-na…