Merlin

Merlin serves as a Command & Control (C2) framework designed for post-exploitation operations. The primary metapackage includes the control server, agent, and an identification tool, enabling comprehensive management of agent communications. The server component listens for client connections over HTTP/2, supporting secure and efficient command dispatch to deployed agents.

Use cases include maintaining persistence on target systems, executing commands remotely, and exfiltrating data through HTTP/2 channels. The tool's Golang implementation ensures cross-platform compatibility across Windows, Linux, and other operating systems, making it suitable for diverse penetration testing and red team engagements.

The package ecosystem includes source development files (golang-github-ne0nd0g-merlin-dev) for customization and the standalone server (merlin-server) for deployment. Dependencies leverage modern Golang libraries for encryption, networking, and user interaction.

Merlin operates as an HTTP/2-based C2 server that listens for agent connections on a specified address, defaulting to 127.0.0.1:50051. Agents communicate bidirectionally over HTTP/2 protocols, utilizing libraries like quic-go for QUIC support and JA3 transport for fingerprint evasion. The server supports CLI RPC clients authenticated via password, with debug logging options for troubleshooting. Internals include opaque encryption (gopaque), JSON serialization (gojay), and UUID handling for session management.