{
	"id": "7abf89a6-904a-4650-ad1f-c6adbe7e7361",
	"created_at": "2026-04-06T00:12:17.802633Z",
	"updated_at": "2026-04-10T13:12:37.58497Z",
	"deleted_at": null,
	"sha1_hash": "547586aeec063c70a4d6c34003a32f52d05f9948",
	"title": "Russia-Aligned TA499 Beleaguers Targets with Video Calls | Proofpoint US",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1620019,
	"plain_text": "Russia-Aligned TA499 Beleaguers Targets with Video Calls |\r\nProofpoint US\r\nBy March 07, 2023 Zydeca Cass and the Proofpoint Threat Research Team\r\nPublished: 2023-03-01 · Archived: 2026-04-02 10:51:21 UTC\r\nKey Takeaways\r\nTA499, also known as Vovan and Lexus, is a Russia-aligned threat actor that has aggressively engaged in\r\nemail campaigns since at least 2021. \r\nThe threat actor’s campaigns attempt to convince high-profile North American and European government\r\nofficials as well as CEOs of prominent companies and celebrities into participating in recorded phone calls\r\nor video chats.\r\nThe calls are almost certainly a pro-Russia propaganda effort designed to create negative political content\r\nabout those who have spoken out against Russian President Vladimir Putin and, in the last year, opposed\r\nRussia’s invasion of Ukraine.\r\nTA499 is not a threat to take lightly due to the damage such propaganda could have on the brand and\r\npublic perception of those targeted as well as the perpetuation of disinformation.\r\nOverview\r\nProofpoint researchers have been tracking malicious email campaigns by the Russia-aligned TA499, publicly\r\nknown as Vovan and Lexus, since early 2021. TA499’s campaigns began to ramp up in late January 2022,\r\nculminating in increasingly aggressive attempts after Russia invaded Ukraine in late February 2022. Since that\r\ntime, the threat actor has engaged in steady activity and expanded its targeting to include prominent\r\nbusinesspeople and high-profile individuals that have either made large donations to Ukrainian humanitarian\r\nefforts or those making public statements about Russian disinformation and propaganda. These messages try to\r\nsolicit information from the targeted individuals and entice them into further contact via phone calls or remote\r\nvideo. The emails have not contained malware, only communications or invitations purporting to be from an\r\nembassy of Ukraine, Ukraine’s Prime Minister, a Ukrainian parliamentarian, or their assistants.\r\nProofpoint tracks TA499 as an impersonation-based, patriotically motivated misinformation pair of actors aligned\r\nwith the Russian state. The group has a record of targeting high-profile persons of interest that have spoken out\r\nabout the Russian regime, in favor of sanctions against Russia, and against the detainment of well-known Russian\r\nopposition leader Alexei Navalny. While the level of official government support TA499 receives is unknown, the\r\nrecordings are generally used to garner support and sympathy for the current Russian regime and their actions.  \r\nCritiques of Putin, Russia Spur TA499 Action in 2022\r\nTA499’s email campaigns kicked into high gear as tensions built between Russia and Ukraine and has not abated\r\nsince Russia invaded Ukraine in February 2022. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/dont-answer-russia-aligned-ta499-beleaguers-targets-video-call-requests\r\nPage 1 of 9\n\nFigure 1. Timeline of TA499 activity in 2022.\r\nSince late-January 2022, the threat actor has largely focused its email attempts on scheduling a video or phone call\r\nmeeting with high-profile North American or European government officials and CEOs of prominent companies.\r\nIn a shift from their 2021 activity, these campaigns have almost exclusively centered on topics relating to the\r\nRussia-Ukraine war. Even after TA499 expanded its victimology in March 2022 to include public figures not in\r\ngovernment positions, such as businesspeople and celebrities, the threat actor kept with these same social\r\nengineering themed lures.\r\nOnly in the latter half of 2022 did TA499 begin to reincorporate some of its pre-war themes and email addresses,\r\nbut those continue to be a fraction of their overall activity.\r\nEarly 2022: TA499’s initial 2022 campaigns used the same actor-controlled domain (oleksandrmerezhko[.]com)\r\nand sender address (office@oleksandrmerezhko[.]com) as its 2021 campaigns, and directly targeted individuals\r\nthat had spoken out regarding:\r\nBill to Arm Ukraine against Russia\r\nSupport of Sanctions on the Nord Stream II Pipeline\r\nBombing of Russian military assets and other military actions\r\nBy March 2022, amid a backdrop of condemnation by the international community of Russian President Vladimir\r\nPutin’s actions in Ukraine and instatement of sanctions, TA499 adopted new personality impersonations. Most\r\nnotably, the threat actor began to masquerade as the Ukrainian Prime Minister Denys Shmyhal and his purported\r\nassistant. To make the emails convincing in their legitimacy, the sender addresses leveraged the popular internet\r\nservice and email provider Ukr.net and pretended to be from either “the Embassy of Ukraine to the US” or “the\r\nEmbassy of Ukraine in the US:” embassy.usa@ukr[.]net and embassy.us@ukr[.]net. The subjects focused on\r\nUkrainian officials making requests of the targets, such as:\r\nUkrainian Parliament – [Target Name]. Request\r\nhttps://www.proofpoint.com/us/blog/threat-insight/dont-answer-russia-aligned-ta499-beleaguers-targets-video-call-requests\r\nPage 2 of 9\n\nPrime Minister of Ukraine. Request\r\nUkrainian Parliament – [Target Name]\r\nEmbassy of Ukraine - CEO [Target Name]. Request\r\nAs seen in Figure 2, Proofpoint researchers identified and tracked this new activity through TA499’s preference\r\nfor including their new sender addresses in the TO: or CC: lines of email campaigns leveraging older addresses. It\r\nis important to note that the threat actor cycles through its addresses. While one may appear to have gone dormant,\r\nit could return in future TA499 campaigns.\r\nFigure 2. Proofpoint attributed email addresses to TA499. The threat actor primarily used the first four in 2021\r\nand the last two in its 2022 campaigns; however, TA499 started to leverage its Navalny and Merezhko email\r\naddresses again in late 2022.\r\nAccording to open-source reporting, in addition to the Proofpoint-identified campaigns, the Shmyhal personality\r\nwas used to target two UK cabinet members as well. Given the similarities in tactics, Proofpoint researchers assess\r\nwith high confidence that this was the work of TA499.\r\nMid-2022: By mid-2022, TA499 started to explore using an additional embassy-themed email address\r\n(embassy.chernysh@ukr[.]net) and even utilized an actor-controlled International Atomic Energy Agency (IAEA)-\r\nthemed domain (office@iaea[.]co[.]uk) to send emails with a subject line of “URGENT: IAEA Director General”\r\nto international aides and assistance of senior government officials. The timing of this activity aligned with\r\na public statement by the IAEA Director General about the urgent situation at Ukraine’s Zaporizhzhia nuclear\r\nhttps://www.proofpoint.com/us/blog/threat-insight/dont-answer-russia-aligned-ta499-beleaguers-targets-video-call-requests\r\nPage 3 of 9\n\npower plant. It is likely that the international attention surrounding the state of the power plant inspired TA499’s\r\ndecision to use an IAEA lure.\r\nA Return to Early TA499 Themes\r\nThrough the rest of 2022, TA499 integrated email addresses not observed in Proofpoint data since at least March\r\n2022, including those pretending to be Oleksandr Merezhko, a Ukrainian Member of Parliament (MP) and Vice\r\nPresident of the Parliamentary Assembly of the Council of Europe (PACE), and Leonid Volkov, the Chief of Staff\r\nfor Russian opposition leader Alexei Navalny (noted in Figure 2). \r\nFigure 3. In late 2022, TA499 again posed as Merezhko and used email address\r\noffice@oleksandrmerezhko[.]com. This address was dormant between March 2022 and September 2022.\r\nNavalny has long been a focus for TA499 campaigns with the threat actor targeting individuals with an interest in\r\nand publicly positive stances on the oppositionist since early 2021. Timeline analysis and Proofpoint telemetry\r\nhave revealed targeting of individuals explicitly involved in the statements condemning the arrest of Navalny on\r\nFebruary 2nd, 2021, and the reintroduction of the Holding Russia Accountable for Malign Activities Act of 2021\r\non February 3rd, 2021. As seen in the sample email in Figure 4, TA499 has repeatedly used social engineering\r\nwith a focus on directing conversation to easily recorded meetings and subject lines such as: \r\n“Request. Vice-President of the Parliamentary Assembly of the Council of Europe (PACE)”\r\n“[redacted] - Russian opposition leader Alexei Navalny's team”\r\n“Russian opposition leader Alexei Navalny's team – [redacted]”\r\nhttps://www.proofpoint.com/us/blog/threat-insight/dont-answer-russia-aligned-ta499-beleaguers-targets-video-call-requests\r\nPage 4 of 9\n\n“Alexei Navalny's Chief of Staff - [redacted]. Request”\r\n“Re: Meeting with Mr Volkov”\r\nFigure 4. A 2021 email message posing as Leonid Volkov, Alexei Navalny’s Chief of Staff.\r\nThe World is Watching…On YouTube (or RUTUBE)\r\nTA499 posts recordings of its video calls on YouTube and RUTUBE. One of the threat actor’s YouTube channels\r\nwas taken down early in the Russia-Ukraine war, forcing TA499 to revert to using one of its older YouTube\r\nchannels for posting.\r\nFor high-profile targets that agree to follow-up video calls, TA499 has pretended to be various people, going so far\r\nas to use extensive makeup to appear exactly like the impersonated individual. They have masqueraded as the\r\nPrime Minister of Ukraine, Denys Shmyhal, and Oleksandr Merezhko. Video calls recorded in 2021 show TA499\r\nimpersonating Leonid Volkov as well. Open-source reporting has detailed the use of Deepfake Artificial\r\nIntelligence software to explain how TA499 takes on Volkov’s appearance, and possibly that of others, though the\r\nmalicious actor denies the use of the software. The actor does not appear to be using any voice modulation,\r\nprimarily focusing on the targets’ lack of familiarity with the contact and the element of surprise.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/dont-answer-russia-aligned-ta499-beleaguers-targets-video-call-requests\r\nPage 5 of 9\n\nFigure 5. Screenshot (left) from TA499’s first episode of “Дипфейк Шоу” or “Deepfake Show,” where Lexus\r\nimpersonates Leonid Volkov, and picture of the real Volkov (right) for comparison.\r\nConversations with TA499 typically begin serious and allow the target to voluntarily say as much information as\r\npossible. Once the target begins asking questions, the actor mirrors the target’s replies to keep the conversation\r\ngoing. Some of the 2021 videos with the threat actor have the Leonid Volkov impersonator asking for financial\r\nsupport and appear to encourage the target into voicing particular obligations and efforts in tandem with the\r\nRussian opposition led by Navalny. Once the target makes a statement on the matter, the video devolves into\r\nantics, attempting to catch the target in embarrassing comments or acts. The recordings are then edited for\r\nemphasis and placed on YouTube and Twitter for Russian and English-speaking audiences. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/dont-answer-russia-aligned-ta499-beleaguers-targets-video-call-requests\r\nPage 6 of 9\n\nFigure 6. TA499 posted a “video call” with fugitive Kazakh oligarch Mukhtar Ablyazov on the threat actor’s\r\nYouTube channel, which has since been taken down.\r\nConclusion\r\nTA499 is a very public group that is garnering a fan following. They have personas that not only post the material\r\ndiscussed in this report online but also perform reenactments on Russia state-sponsored media as well as attend\r\nconferences. With the war between Russia and Ukraine unlikely to end in the near-term and Ukraine continuing to\r\ngarner support from organizations worldwide, Proofpoint assesses with high confidence that TA499 will attempt\r\nto continue with its campaigns in support of its influencer content and political agenda. TA499 is likely to reuse\r\nold or establish additional infrastructure in support of this activity.\r\nBeing a target of this group is gradually becoming more common. While the primary targeting of TA499 remains\r\nthe C-level or the highest profile positions possible at any given entity, Proofpoint recommends that anyone who\r\nsuspects they might be a target of TA499’s take care in verifying the identities of those inviting them to conduct\r\nbusiness or discuss political topics over video conferencing. In particular, if high-profile individuals reach out\r\nsuddenly via email and without prior introduction through a known and verified source, you should proceed with\r\ncaution.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/dont-answer-russia-aligned-ta499-beleaguers-targets-video-call-requests\r\nPage 7 of 9\n\nCheck out the latest podcast episode on DISCARDED, Prank or Propaganda? TA499 Pesters Politics. Listen now\r\non our website, Apple Podcasts, Spotify, Google Podcasts or wherever you get podcasts. \r\nIndicators of Compromise (IOCs)\r\nIndicator Type Description\r\noffice@oleksandrmerezhko[.]com  Sender address 2022 campaigns\r\nsecretary.mfa@gmail[.]com  Sender address 2022 campaigns\r\nembassy.usa@ukr[.]net  Sender address 2022 campaigns\r\nembassy.us@ukr[.]net  Sender address 2022 campaigns\r\ns.dorenko@ukr[.]net  Sender address 2022 campaigns\r\nembassy.chernysh@ukr[.]net Sender address 2022 campaigns\r\noffice@iaea[.]co[.]uk Sender address 2022 campaign\r\niaea[.]com[.]uk Domain 2022 campaign\r\noleksandrmerezhko[.]com Domain 2021 \u0026 2022 campaigns\r\nnavalny[.]team Domain 2021 campaigns\r\noffice@oleksandrmerezhko[.]com Sender address 2021 \u0026 2022 campaigns\r\nlvolkov@navalny[.]team Sender address 2021 campaigns\r\nhttps://www.proofpoint.com/us/blog/threat-insight/dont-answer-russia-aligned-ta499-beleaguers-targets-video-call-requests\r\nPage 8 of 9\n\njulia@navalny[.]team Sender address 2021 campaigns\r\nSource: https://www.proofpoint.com/us/blog/threat-insight/dont-answer-russia-aligned-ta499-beleaguers-targets-video-call-requests\r\nhttps://www.proofpoint.com/us/blog/threat-insight/dont-answer-russia-aligned-ta499-beleaguers-targets-video-call-requests\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.proofpoint.com/us/blog/threat-insight/dont-answer-russia-aligned-ta499-beleaguers-targets-video-call-requests"
	],
	"report_names": [
		"dont-answer-russia-aligned-ta499-beleaguers-targets-video-call-requests"
	],
	"threat_actors": [
		{
			"id": "3f42c8f4-2cf1-4555-abff-b19852033aec",
			"created_at": "2023-11-08T02:00:07.099084Z",
			"updated_at": "2026-04-10T02:00:03.41336Z",
			"deleted_at": null,
			"main_name": "TA499",
			"aliases": [
				"Vovan",
				"Lexus"
			],
			"source_name": "MISPGALAXY:TA499",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434337,
	"ts_updated_at": 1775826757,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/547586aeec063c70a4d6c34003a32f52d05f9948.pdf",
		"text": "https://archive.orkl.eu/547586aeec063c70a4d6c34003a32f52d05f9948.txt",
		"img": "https://archive.orkl.eu/547586aeec063c70a4d6c34003a32f52d05f9948.jpg"
	}
}