Skip to content
Russel Van Tuyl edited this page May 6, 2018 · 11 revisions

Merlin is a post-exploit Command & Control (C2) tool, also known as a Remote Access Tool (RAT), that communicates using the HTTP/2 protocol. This tool was the result of my work evaluating HTTP/2 in a paper titled Practical Approach to Detecting and Preventing Web Application Attacks over HTTP/2. Merlin is also my first attempts at learning Golang.

This tool is intended to be used during research and authorized testing.



Another advantage of Merlin is that is cross-platform. Both the Merlin Server and Agent can easily be compiled to run on a multitude of operating systems to include windows, linux, darwin, solaris, freebsd, ARM, MIPS, or android. A list of platforms that Go is capable of cross-compiling for can be found here. Instructions on building Merlin from source can be found on the Building Wiki page.


One aim of the tool is to provide evasion capabilities by leveraging the HTTP/2 protocol. Because the protocol is not understood by many technologies, it should more easily bypass inspection or detection activities.

You can’t perform that action at this time.