In 2013, a public report revealed a group of actors conducted targeted attacks leveraging a malware dubbed ICEFOG against mainly government organizations and the defense industry of South Korea and Japan. Little has been published about the activities of ICEFOG malware since the report was released more than six years ago. However, despite a pause and a decrease in sample numbers, the attacks leveraging the ICEFOG malware did not entirely stop after the exposure. In the past few years, we observed different attacks which the malware delivered and exploited with different tactic, techniques and procedures (TTP) compared with the campaign reported in 2013. In the recent attack, a new variant of ICEFOG samples were also discovered. In this talk, I will introduce our findings among different samples discovered across these years and highlight the evolved TTPs that the actor applied to evade detection in the new campaign. In addition, I will also introduce and clarify the potential connections between the ICEFOG operator and other APT groups.