Since 2010 Stuxnet caused substantial damage to the nuclear program of Iran, ICS security issues have been raised.Lots of researchers dig into the hacking skills and path and those known attacks in the history and more malwares and events happened.We summarize the experience of reviewing over 20 factories traffic and analyzing 19 MITRE defined ICS malwares, PIPEDREAM/Incontroller in 2022. We found the main trend of ICS malwares changes from single protocol targeting to modularized , multiple protocols supporting. In this talk , we will also share how we making an OT adversary emulation tool according to what we summarized and MITRE ICS matrix.