v0.8.0.BETA

• Added OPAQUE Password Authenticated Key Exchange (PAKE)
• JWT authentication and JWE payloads
• Go lang's gob encoding for network traffic
• Enabled HTTP/1.1 support
• Added the ability to set an arbitrary HTTP Host header
• Added support to hardcode a web proxy
• Added new PRISM binary to fingerprint Merlin server instances
• View the CHANGELOG for additional details

The compressed files have a password of merlin

V0.7.0

View the blog post for additional details

• Cross-Platform Native Commands

• Agent Kill Date

• Status Command & UTC Timestamp

• Compiling with Hard-coded URL

• Docker File

• Extended Modules

• Minidump

• Auto Generated X.509 Certificates

• Shellcode Execution

• Shellcode Reflective DLL Injection (sRDI)

• View the CHANGELOG for additional details

The compressed files have a password of merlin

Execute Shellcode

This release adds the ability to execute shellcode through an Agent (Windows only). Check the Wiki for examples

• A compiled version of the agent is distributed in the data/bin directory
• X.509 certificates are distributed with the release to facilitate ease of use. Create new certificates prior to production use.
• View the CHANGELOG for additional details

The compressed files have a password of merlin

QUIC Protocol

The most significant part of this release is adding support for QUIC as C2 protocol.

• Use the -proto command line flag for both the agent and server with a value of h2 for HTTP/2 and hq for QUIC. The default is h2.
• A warning message is given when the server is run with the x509 certificates distributed with Merlin.
• The sessions and info commands will now tell you the status of the agent (Active, Delayed, or Dead).
• New remove command to clear a dead agent from the server.
• Server now defaults to the loopback adapter interface of 127.0.0.1 when started without the -i command line flag.
• View the CHANGELOG for additional details

The compressed files have a password of merlin.

DLL & Invoke-Merlin PowerShell

Version numbers changed drastically to start following semantic versioning. Merlin now ships with the pre-compiled agent binary files with each Merlin Server download in the data/bin directory. You no longer need to download the agents separately. Support was added for a DLL version of the Merlin Agent. See the Agent Execution Quick Start Guide wiki page for examples. Added an Invoke-Merlin.ps1 script to reflectively load the merlin.dll into memory, but is not considered stable. Added Merlin's official logo to main README. Significant updates to Wiki for better support.

The compressed files have a password of merlin.

Modules, Menus, JavaScript, File Upload/Download

Several features added by community members @ahhh and @twigatech to allow agent file upload and downloads along with checkin time skew. Basic support for modules has been added. The Merlin JavaScript agent is also included. A brand new and easier to use menu system. Check the CHANGELOG for additional information.

The compressed files have a password of merlin

Initial Public Release

This is the first public release of Merlin. Code is stable enough to be used and documentation is adequate enough to get started. An Introductory blog post is available here: https://medium.com/@Ne0nd0g/introducing-merlin-645da3c635a

The compressed files have a password of merlin.

Small Update

Updated agent to include a random padding of up to 4096 bytes per message to help prevent detection based off consistent message size. Added in a Makefile to make building the server and agent easier. Added in new libraries to help with displaying information in formatted tables. Added in tab completion for commands issued on the server.

The Begining

This release marks a stable BETA version of Merlin. Both the server and the agent cross-compile to Windows, Linux, and MacOS. The 64 bit version of the agent binaries for all 3 platform can be found in data\bin. The 32 bit binaries are not provided, but could be compiled if you desire. Check the README in the data\bin directory. To run this release, download Merlin_v0.1Beta.zip and unzip the contents. Next, download the applicable binary for your platform (i.e. merlinserver_windows_x64.exe) and place it in the root of that unzipped folder. The binary can be run from the command line. Alternatively, Merlin can be run directly as a go script with go run cmd\merlinserver.go.