Unit 42 reports TDrop2 activity in 2015 that closely resembled the Dark Seoul and Operation Troy toolset, while noting that the available evidence was insufficient to conclusively prove the same operators. The observed attack targeted the European transportation and logistics sector through a trojanized industrial-control security-camera video player hosted by a legitimate software distributor. TDrop2 installs the expected video player while running malware that uses process hollowing, retrieves a second-stage payload disguised as an image with an altered "DW" PE header, and executes reconnaissance and download commands. Network traffic uses encryption plus a custom base64 alphabet, and similarities to Operation Troy include shared encoding behavior, string decryption routines, and a matching POST separator. The report also notes that the C2 servers were compromised websites in South Korea and Europe, and that the analyzed samples did not show the destructive wiping behavior associated with the original Dark Seoul incident.