v2.4.3

Changed

• Upgraded the minimum version of go to v1.23
• Upgraded the following libraries
  • golang.org/x/crypto v0.28.0 => v0.37.0
  • golang.org/x/net v0.30.0 => v0.39.0
  • golang.org/x/sync v0.8.0 => v0.13.0
  • golang.org/x/sys v0.26.0 => v0.32.0
  • golang.org/x/text v0.19.0 => v0.24.0
  • github.com/go-jose/go-jose/v3 v3.0.3 => v3.0.4
  • github.com/quic-go/quic-go v0.47.0 => v0.50.1

Merlin documentation and Wiki can be found here

The compressed files have a password of merlin

v2.4.2

Fixed

• Fixed Issue 43 - Added fmt import to FreeBSD shell

Changed

• Check if Mythic client configuration contained a PSK for the Mythic http C2 profile
• Upgraded the following libraries:
  • golang.org/x/crypto v0.22.0 => v0.28.0
  • golang.org/x/net v0.24.0 => v0.30.0
  • golang.org/x/sys v0.19.0 => v0.26.0
  • golang.org/x/text v0.14.0 => v0.19.0
  • github.com/fatih/color v1.16.0 => v1.17.0
  • github.com/quic-go/quic-go v0.42.0 => v0.47.0
  • github.com/refraction-networking/utls v1.6.4 => v1.6.7

Merlin documentation and Wiki can be found here

The compressed files have a password of merlin

v2.4.1

Changed

• Upgraded golang.org/x/crypto v0.21.0 => v0.22.0
• Upgraded golang.org/x/sys v0.18.0 => v0.19.0
• Upgraded golang.org/x/mod v0.16.0 => v0.17.0
• Upgraded golang.org/x/tools v0.19.0 => v0.20.0
• Upgraded golang.org/x/exp v0.0.0-20240318143956-a85f2c67cd81 => v0.0.0-20240416160154-fe59bbe5cc7f
• Upgraded github.com/google/pprof v0.0.0-20240320155624-b11c3daa6f07 => v0.0.0-20240422182052-72c8669ad3e7
• Upgraded github.com/onsi/ginkgo/v2 v2.17.0 => v2.17.1
• Upgraded github.com/klauspost/compress v1.17.7 => v1.17.8
• Upgraded github.com/refraction-networking/utls v1.6.3 => v1.6.4
• GoVulnCheck to use the latest version of Go

Security

• GO-2024-2687 - Upgraded golang.org/x/net to v0.24.0 to address CVE-2024-2687

Merlin documentation and Wiki can be found here

The compressed files have a password of merlin

v2.4.0

Added

• Mythic client handles multiple HTTP headers with the Mythic http C2 Profile
• Automatic Windows HTTP proxy authentication through the winhttp API
• Added the -http-client command line argument and HTTPCLIENT Makefile variable to specify which HTTP client to use
  • Use go for the default Go HTTP client
  • Use winhttp API for HTTP C2
• Use go build tags to control which C2 clients are compiled into the agent. Build Tags
  • When ANY build tag is included, the agent will ONLY include that feature and nothing else. For example, if ONLY the http tag is provided, the SMB, TCP, and UDP clients will not be included.
  • If one of the following build tags is used, then only the C2 profiles provided will be compiled in
  • http - Include all HTTP clients (including HTTP/1.1, HTTP/2, and HTTP/3)
  • http1 - Include HTTP/1.1 client
  • http2 - Include HTTP/2 client
  • http3 - Include HTTP/3 client
  • winhttp - Include Windows winhttp API client
  • mythic - Include the Mythic client for the Mythic http C2 profile
  • smb - Include SMB client
  • tcp - Include TCP client
  • udp - Include UDP client

Fixed

• Resolved several SOCKS5 issues
  • Updated Mythic client to handle post_response actions with ServerPostResponse structure to include SOCKS information
  • Created a go routine and a channel just for sending SOCKS data in place of using the Jobs channel
• Issue 38 - Added evasion_386.go to facilitate x86 Windows builds

Changed

• Upgraded the following libraries to their latest version
  • upgraded golang.org/x/net v0.21.0 => v0.22.0
  • upgraded github.com/google/uuid v1.5.0 => v1.6.0
  • upgraded github.com/quic-go/quic-go v0.40.1 => v0.42.0
  • upgraded github.com/refraction-networking/utls v1.6.0 => v1.6.3

Security

• Upgraded go-jose/v3 to v3.0.3 to address CVE-2024-28180

Merlin documentation and Wiki can be found here

The compressed files have a password of merlin

v2.3.0

Added

• Support to decode Simplified Chinese (Code Page 936) encoding to UTF-8
• Support to decode Traditional Chinese (Code Page 950) encoding to UTF-8
• Support to decode Korean (Code Page 949) encoding to UTF-8
• Added RSA as a valid authentication method for Mythic EKE
• Added mythic encoder to transform messages in the format Mythic expects them in

Changed

• Refactored clients/mythic to correctly implement the Client interface from merlin-agent/v2 package
  • Moved encryption out of the client and into the transforms
  • Accepts authenticator, transforms, and secure TLS configuration items
• Upgraded:
  • github.com/Ne0nd0g/merlin-message to v1.3.0
  • golang.org/x/net to v0.19.0
  • github.com/quic-go/quic-go to v0.40.1
  • github.com/refraction-networking/utls to v1.6.0
• Removed GOGARBLE environment variable from Makefile

Merlin documentation and Wiki can be found here

The compressed files have a password of merlin

v2.2.0

Added

• New os/windows/pkg/text package to detect and handle non UTF-8 encoding
  • Only handles ShiftJIS at this moment
  • Will replace non UTF-8 characters with a � character

Fixed

• Issue 33 - Added handling for ShiftJIS encoding

Merlin documentation and Wiki can be found here

The compressed files have a password of merlin

v2.1.0

Changed

• Allow the TLS X509 certificate validation setting to be passed through to JA3 and Parrot clients
• JA3 & Parrot HTTP transports use agent's -secure command line argument to determine if TLS X.509 certificate validation should be performed
• Upgraded the following modules
  • golang.org/x/sys v0.13.0 => v0.14.0
  • golang.org/x/net v0.17.0 => v0.18.0
  • github.com/go-jose/go-jose/v3 v3.0.0 => v3.0.1
  • github.com/fatih/color v1.15.0 => v1.16.0

Fixed

• Issue 26 - uTLS package uses HTTP proxy if provided or from environment variables
  • Implemented a custom dialer to connect to the proxy first and then the destination
• uTLS package for correctly set the TLS version from the provided JA3 string

Merlin documentation and Wiki can be found here

The compressed files have a password of merlin

v2.0.0

Added

• Peer-to-Peer Agent communication methods: smb-bind, smb-reverse, tcp-bind, tcp-reverse, udp-bind, udp-reverse
  • An associated Listener UUID must be provided with -listener command line argument or LISTENER Make file variable
  • An associated network interface and port must be provided with the -addr command line argument or ADDR Make file variable
  • Delegate message type and associated handling
• Configurable Agent authentication methods: OPAQUE & none
  • Added auth variable to main.go
  • Added AUTH variable to Make file (e.g., make windows AUTH=OPAQUE)
  • Added -auth command line argument
• Configurable Agent transforms: gob-base, gob-string, base64-byte, base64-string, hex,-byte, hex-string, aes, jwe, rc4, and xor
  • Added transforms variable to main.go
  • Added TRANSFORMS variable to Make file (e.g., `make windows TRANSFORMS=aes,gob-base)
  • Added -transforms command line argument
• link command for the Agent to initiate a peer-to-peer connection with a listening bind agent
  • Example: link tcp 192.168.1.72:4444
• listener command for the Agent to start a listener to receive a connection from a reverse peer-to-peer connection
  • list to return a list of instantiated on the Agent (e.g., listener list)
  • start to start a listener based on the passed in type and interface
    • Example: listener start tcp 0.0.0.0:4444
  • stop to stop an already created listener
    • Example: listener stop tcp [::]:4444
• unlink command to disconnect a chile peer-to-peer agent from its parent
  • Example: unlink childAgentID
• GitHub Actions for building and testing the Merlin Agent
• Implemented "services" and "repositories"
  • Services are: agent, client, job, message, and p2p
• Configurable TLS x.509 certificate validation
  • Default is false, TLS certificates are not validated
  • Added -secure command line argument to require TLS X.509 certificate validation
  • Added SECURE variable to Make file (e.g., make windows SECURE=true)

Changed

• Moved from Initial to Authenticated for Agent struct
• Removed tests
• Upgraded quic-go to v0.40.0
• The Minimum supported Go version is now 1.20
• HTTP URL rotation strategy is now random instead of round-robin
• Replaced github.com/satori/go.uuid with github.com/google/uuid
• Replaced github.com/square/go-jose with github.com/go-jose/go-jose
• Replaced github.com/Ne0nd0g/merlin/pkg/messages with github.com/Ne0nd0g/merlin-message
  • Removes the need to depend on or import the Merlin Server package

Merlin documentation and Wiki can be found here

The compressed files have a password of merlin

v1.6.5

Changed

• Replaced manual Windows DLL and procedure loads for Golang's Windows package and moved remaining to os/windows/api directory
• Replaced PAGE_EXECUTE_READWRITE with PAGE_READWRITE for shellcode memory allocation
• Replaced PAGE_EXECUTE with PAGE_EXECUTE_READ after shellcode memory allocation

Fixed

• Issue 28 - Use Golang's Windows package for API calls where possible

Merlin documentation and Wiki can be found here

The compressed files have a password of merlin

v1.6.3

Fixed

• Issue 25 - Updated Mythic CheckIn structure's PID to integer

Merlin documentation and Wiki can be found here

The compressed files have a password of merlin