Merlin C2

Merlink C2

Reading the book How to Hack like a Ghost, by Sparc Flow - No Starch Press

I came across some Go based C2 (Command & Control) frameworks. Not knowing what to realy expect I tried to give it a go. Quickly I worked out that the book is a little out of date in how this framework now runs and the docs online are much to be desired. I am sure for those who know how to use C2 frameworks it makes sense. In the end it was a bit of -v (verbose) flag and some trial and error before I worked it out.

First problem was the book suggested the repo

• https://github.com/ne0nd0g/merlin

which is the server. Even with the docs

• https://merlin-c2.readthedocs.io/

it was not obvious, till I came across this article

• malware.news merlin’s evolution

that I actually needed the:

• server https://github.com/ne0nd0g/merlin
• CLI to control https://github.com/ne0nd0g/merlin-cli
• agent https://github.com/ne0nd0g/merlin-agent

Once that was established the steps are

git clone https://github.com/Ne0nd0g/merlin
cd merlin
go run main.go
# there are ways to make this and a distro
# make distro
# data/temp/v2.1.4/38...88/merlinServer-Darwin-x64

# this runs just fine with defaults
{"time":"2026-03-09T23:09:27.653538+11:00","level":"INFO",
  "msg":"Created new TLS certificate",
  "Serial":25418984412059526003737019249885179218,
  "Subject":["Merlin"],"NotBefore":"2026-03-09T23:09:27.645966+11:00",
  "NotAfter":"2027-03-15T23:09:27.645966+11:00"}
{"time":"2026-03-09T23:09:27.65474+11:00","level":"INFO",
  "msg":"Starting gRPC server on 127.0.0.1:50051"}

this will show agents and controllers register etc

git clone https://github.com/Ne0nd0g/merlin-cli
cd merlin-cli
go run main.go

this was a little harder to run as there seems to be a bunch of text commands but no readline so VIM keybindings don’t work

I needed to

• listeners to go into the menu
• use HTTP to use the HTTP protocol
• set Port 8080 as the default port 80 would not be allowed? maybe I need to run the server in sudo to make this happen?
• start to start it
• back to go out of the listener
• list to list out the listeners

finally I could start an agent

git clone https://github.com/Ne0nd0g/merlin-agent
cd merlin-agent
go run main.go

this was the hard part till I run it with -v which showed me some defaults that were not obvious like it ran in HTTP2 protocol by default. Also the sleep by default is 30 seconds which means to execute a command takes a minute by the time it gets it and executes it.

the final command that worked well was

go run main.go \
  -v \
  -url http://127.0.0.1:8080 \
  -proto http 
  -sleep 0s

Then I could finally queue a command

# from the merlin-cli
queue <AGENT_UUID> pwd

or interact with an agent

interact <AGENT_UUID>
pwd

even ssh a command like ls

interact <AGENT_UUID>
ssh <ssh-username> <ssh-hostname>:<port> <command>

it is an intruiging process and would be interesting how people wrap this up in a process to run on boot, from cron, or as a service? Also there are some specific Windows commands in the list of agent interact commands.