gitwtfhub

wtf is merlin?

ne0nd0g/merlin — explained in plain English

Analysis updated 2026-06-26

5,538GoAudience · ops devopsComplexity · 4/5Setup · hard

TL;DR

A post-exploitation command-and-control framework written in Go that lets red team operators communicate with compromised systems over encrypted HTTP/2, HTTP/3, or peer-to-peer channels with multiple detection-evasion options.

Mindmap

mindmap
  root((Merlin C2))
    What it does
      Post-exploitation
      Remote command exec
      Covert comms
    Tech Stack
      Go
      gRPC
      HTTP2 and HTTP3
    Use Cases
      Red team ops
      Payload delivery
      Evasion testing
    Features
      Encrypted traffic
      Multi-operator support
      Mythic integration
    Platforms
      Windows
      Linux
      macOS

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

Why would anyone build with this?

REASON 1

Run a red team engagement by deploying Merlin agents on target Windows machines and issuing commands from a central server.

REASON 2

Test network detection by generating encrypted, padded C2 traffic over HTTP/2 or HTTP/3 to see if your SIEM catches it.

REASON 3

Coordinate a multi-operator red team where several people control agents simultaneously from the same gRPC-connected server.

REASON 4

Deliver .NET assemblies or shellcode to a compromised Windows host using built-in payload injection techniques.

What's in the stack?

GogRPCHTTP/2HTTP/3

How it stacks up

ne0nd0g/merlinkahing/goofysbililive-go/bililive-go
Stars5,5385,5425,543
LanguageGoGoGo
Setup difficultyhardmoderatemoderate
Complexity4/53/53/5
Audienceops devopsops devopsgeneral

Figures from each repo's GitHub metadata at analysis time.

How do you spin it up?

Difficulty · hard Time to first run · 1h+

Requires 7-Zip to unpack the release archive, Windows shellcode injection features require appropriate privileges on the target.

Wtf does this do

Merlin is a command-and-control (C2) tool used in security testing, specifically in post-exploitation scenarios where a researcher or red team operator has already gained access to a target system and needs to communicate with it remotely. The project is written in Go and runs on Windows, macOS, and Linux. The core design is a server-and-agent model. You run the Merlin server on a machine you control, then deploy a small agent program on the target machine. The agent connects back to your server over an encrypted connection, and from there you can issue commands. Communication can happen over several network protocols, including HTTP/1.1, HTTP/2, HTTP/3, and peer-to-peer links between agents using SMB, TCP, or UDP. The tool includes features aimed at avoiding network-based detection. Messages between server and agent can be encrypted and encoded in multiple ways, including AES and JSON Web Encryption. Agents can also pad their messages with random data to defeat detection methods that look for fixed-size network packets. Authentication options range from none to an advanced password-based key exchange protocol called OPAQUE. On Windows systems, Merlin agents can run .NET assemblies, execute Windows executables in isolated processes, and inject shellcode using several different techniques. It also integrates with Donut, sRDI, and SharpGen, which are separate open-source tools for packaging and delivering code payloads. Multiple operators can connect to the same Merlin server at once through a command-line interface that communicates over gRPC. Merlin also integrates with Mythic, a separate collaborative red-teaming framework. To get started, you download the server package from the releases page, extract it with 7-Zip, start the server and CLI, configure a listener, and deploy an agent to the target machine.

Yoink these prompts

Prompt 1
How do I set up a Merlin C2 server, create an HTTP/2 listener, and generate an agent binary to deploy on a target Windows machine?
Prompt 2
Show me how to configure Merlin agents to pad their network traffic with random data to evade fixed-size packet detection.
Prompt 3
How do I integrate Merlin with the Mythic red-teaming framework so I can manage agents from the Mythic interface?
Prompt 4
Walk me through using Merlin to execute a .NET assembly in memory on a compromised Windows host without writing it to disk.
Prompt 5
How do I set up peer-to-peer SMB communication between two Merlin agents when the target has no direct internet access?

Frequently asked questions

wtf is merlin?

A post-exploitation command-and-control framework written in Go that lets red team operators communicate with compromised systems over encrypted HTTP/2, HTTP/3, or peer-to-peer channels with multiple detection-evasion options.

What language is merlin written in?

Mainly Go. The stack also includes Go, gRPC, HTTP/2.

How hard is merlin to set up?

Setup difficulty is rated hard, with roughly 1h+ to a first successful run.

Who is merlin for?

Mainly ops devops.

View the repo → Decode another repo

This repo across BitVibe Labs

Don't trust strangers blindly. Verify against the repo.