The attacks start with spear-phishing messages that employ lures relevant to the targeted organizations, such as aviation, travel, and cargo, and deliver an image that pretends to be a PDF file and which contains an embedded link. The attackers abuse legitimate web services and they leverage a newly identified loader dubbed Snip3 for the delivery…