In 2013, a public report reveals a group of actors conducted targeted attacks leverage a malware dubbed ICEFOG against mainly government organizations and defense industry of South Korea and Japan. Little has been published on the activities of ICEFOG malwares since the report was released more than six years ago. However, despite a pause and a decrease in sample number were observed, the attacks leveraging the ICEFOG malware did not entirely stop after the exposure. In the past few years, we observed different attacks which the malware delivered and exploit with different tactic, techniques and procedure (TTP) compare with the campaign reported in 2013. In the recent attack, a new variant of the ICEFOG samples were also discovered. In this talk, I will introduce our finding among different samples discovered across these years and highlight the evolved TTPs that actor applied to evade detection in the new campaign. In addition, I will also introduce and clarify the potential connections between ICEFOG operator and other APT groups.