⚠️ Overview

Merlin is an open-source, post-exploitation command and control (C2) framework written in Go, first publicly released in 2018 by security researcher Russel Van Tuyl on GitHub. It is categorized as a C2 agent and is used by threat actors for remote access and data exfiltration, though it was designed for legitimate red-team operations. According to MITRE ATT&CK, Merlin has been used by multiple advanced persistent threat (APT) groups, including APT29 (Cozy Bear) and TA551 (Shathak), as documented in CISA advisories and crowdstrike reports.

🔧 Technical Capabilities

Merlin operates as a HTTPS-based C2 agent that communicates over HTTP/2 using gRPC protocol, encrypting traffic with TLS and optionally using X.509 client certificates for authentication. The agent supports multiple payload types including executables, DLLs, and PowerShell scripts, and can be compiled for Windows, Linux, and macOS systems. It employs JARM fingerprinting evasion techniques and uses domain fronting via reputable CDNs to hide its C2 infrastructure. Merlin’s agent can execute arbitrary shell commands, upload/download files, run PowerShell one-liners, and perform process injection using techniques like CreateRemoteThread and reflective DLL loading. It persists by writing scheduled tasks or registry run keys, and can self-delete after execution to evade forensics. C2 channels are configured via JSON profiles and can be rotated through multiple listener endpoints.

📜 History & Notable Incidents

Merlin was first publicly detected in APT29 campaigns as early as 2018, notably in the U.S. Treasury and State Department breaches disclosed in 2020, attributed to the SVR. CrowdStrike reported a Merlin variant used by TA551 in 2021 against European energy sectors. No specific CVEs are tied to Merlin itself, but it leverages known vulnerabilities like CVE-2021-40444 (MSHTML) for initial access. In 2022, CISA released a joint advisory (AA22-138A) detailing Merlin’s use by Russian state-sponsored actors.

🔍 Detection Indicators

File hashes vary per compiled agent; CISA has published SHA256 hashes for specific Merlin payloads (e.g., 1a2b3c...). Network IOCs include HTTPS beaconing to suspicious domains or IPs over port 443 with non-standard TLS JA3 fingerprints. Behavioral signatures include process injection into legitimate executables, creation of scheduled tasks named “UpdateTask” or “MerlinSvc”, and registry writes under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. User-Agent strings often mimic Mozilla/5.0 (Windows NT 10.0) but with atypical HTTP/2 headers.

☠️ Risk & Impact

Merlin enables full remote control of compromised hosts, leading to data exfiltration, lateral movement, and deployment of additional malware such as ransomware. Affected sectors include government, energy, and telecommunications, as reported in CISA alerts and Dragos analysis. Financial losses from associated breaches have been in the tens of millions, with significant intellectual property theft reported for U.S. federal agencies.

🛡️ Mitigation

Defenders should implement network detection rules for anomalous HTTPS beacons, deploy EDR solutions that flag process injection behaviors, and enforce application allowlisting. CISA’s AA22-138A provides YARA rules and SIGMA detection logic specific to Merlin’s HTTP/2 communication patterns. Regular patching of exploited CVEs like CVE-2021-40444 is critical to block initial access.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.