Post Exploitationc2command-and-controlhttp2golangpost-exploitation

Merlin

Merlin is a cross-platform post-exploitation HTTP/2 Command & Control server and agent written in Golang. It provides control server, agent, and identification capabilities for managing compromised systems.

Description

Merlin serves as a Command & Control (C2) framework designed for post-exploitation operations. The primary metapackage includes the control server, agent, and an identification tool, enabling comprehensive management of agent communications. The server component listens for client connections over HTTP/2, supporting secure and efficient command dispatch to deployed agents.

Use cases include maintaining persistence on target systems, executing commands remotely, and exfiltrating data through HTTP/2 channels. The tool's Golang implementation ensures cross-platform compatibility across Windows, Linux, and other operating systems, making it suitable for diverse penetration testing and red team engagements.

The package ecosystem includes source development files (golang-github-ne0nd0g-merlin-dev) for customization and the standalone server (merlin-server) for deployment. Dependencies leverage modern Golang libraries for encryption, networking, and user interaction.

How It Works

Merlin operates as an HTTP/2-based C2 server that listens for agent connections on a specified address, defaulting to 127.0.0.1:50051. Agents communicate bidirectionally over HTTP/2 protocols, utilizing libraries like quic-go for QUIC support and JA3 transport for fingerprint evasion. The server supports CLI RPC clients authenticated via password, with debug logging options for troubleshooting. Internals include opaque encryption (gopaque), JSON serialization (gojay), and UUID handling for session management.

Installation

bash
sudo apt install merlin

Flags

-addr stringThe address to listen on for client connections (default "127.0.0.1:50051")
-debugEnable debug logging
-extraEnable extra debug logging
-password stringthe password for CLI RPC clients to connect to this server (default "merlin")

Examples

Installs the merlin metapackage including server, agent, and identification tool
sudo apt install merlin
Installs the standalone Merlin C2 server
sudo apt install merlin-server
Installs the Merlin source Go files for development
sudo apt install golang-github-ne0nd0g-merlin-dev
Displays usage help for the Merlin server with available flags
merlinserver -h
Starts the Merlin server listening on default address 127.0.0.1:50051
merlinserver
Starts the server listening on all interfaces port 443
merlinserver -addr 0.0.0.0:443
Starts the server with debug logging enabled
merlinserver -debug
Updated 2026-04-16kali.org ↗