explaingit

ne0nd0g/merlin

5,538GoAudience · ops devopsComplexity · 4/5Setup · hard

TLDR

A post-exploitation command-and-control framework written in Go that lets red team operators communicate with compromised systems over encrypted HTTP/2, HTTP/3, or peer-to-peer channels with multiple detection-evasion options.

Mindmap

mindmap
  root((Merlin C2))
    What it does
      Post-exploitation
      Remote command exec
      Covert comms
    Tech Stack
      Go
      gRPC
      HTTP2 and HTTP3
    Use Cases
      Red team ops
      Payload delivery
      Evasion testing
    Features
      Encrypted traffic
      Multi-operator support
      Mythic integration
    Platforms
      Windows
      Linux
      macOS
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

Things people build with this

USE CASE 1

Run a red team engagement by deploying Merlin agents on target Windows machines and issuing commands from a central server.

USE CASE 2

Test network detection by generating encrypted, padded C2 traffic over HTTP/2 or HTTP/3 to see if your SIEM catches it.

USE CASE 3

Coordinate a multi-operator red team where several people control agents simultaneously from the same gRPC-connected server.

USE CASE 4

Deliver .NET assemblies or shellcode to a compromised Windows host using built-in payload injection techniques.

Tech stack

GogRPCHTTP/2HTTP/3

Getting it running

Difficulty · hard Time to first run · 1h+

Requires 7-Zip to unpack the release archive, Windows shellcode injection features require appropriate privileges on the target.

In plain English

Merlin is a command-and-control (C2) tool used in security testing, specifically in post-exploitation scenarios where a researcher or red team operator has already gained access to a target system and needs to communicate with it remotely. The project is written in Go and runs on Windows, macOS, and Linux. The core design is a server-and-agent model. You run the Merlin server on a machine you control, then deploy a small agent program on the target machine. The agent connects back to your server over an encrypted connection, and from there you can issue commands. Communication can happen over several network protocols, including HTTP/1.1, HTTP/2, HTTP/3, and peer-to-peer links between agents using SMB, TCP, or UDP. The tool includes features aimed at avoiding network-based detection. Messages between server and agent can be encrypted and encoded in multiple ways, including AES and JSON Web Encryption. Agents can also pad their messages with random data to defeat detection methods that look for fixed-size network packets. Authentication options range from none to an advanced password-based key exchange protocol called OPAQUE. On Windows systems, Merlin agents can run .NET assemblies, execute Windows executables in isolated processes, and inject shellcode using several different techniques. It also integrates with Donut, sRDI, and SharpGen, which are separate open-source tools for packaging and delivering code payloads. Multiple operators can connect to the same Merlin server at once through a command-line interface that communicates over gRPC. Merlin also integrates with Mythic, a separate collaborative red-teaming framework. To get started, you download the server package from the releases page, extract it with 7-Zip, start the server and CLI, configure a listener, and deploy an agent to the target machine.

Copy-paste prompts

Prompt 1
How do I set up a Merlin C2 server, create an HTTP/2 listener, and generate an agent binary to deploy on a target Windows machine?
Prompt 2
Show me how to configure Merlin agents to pad their network traffic with random data to evade fixed-size packet detection.
Prompt 3
How do I integrate Merlin with the Mythic red-teaming framework so I can manage agents from the Mythic interface?
Prompt 4
Walk me through using Merlin to execute a .NET assembly in memory on a compromised Windows host without writing it to disk.
Prompt 5
How do I set up peer-to-peer SMB communication between two Merlin agents when the target has no direct internet access?
Open on GitHub → Explain another repo

← ne0nd0g on gitmyhub — every repo by this author, as a profile.

Verify against the repo before relying on details.