Sometimes a game update brings new content, balance fixes, or quality-of-life improvements. Sometimes it brings a Trojan virus straight to your PC. For players of the free-to-play gacha RPG Duet Night Abyss, March 18 was unfortunately the latter. Developer Pan Studio has publicly apologized after a launcher update pushed to Steam at 1:04 AM PT infected an unknown number of players' machines with malware, calling the situation a "cybersecurity incident" caused by a “malicious attack.”
The virus responsible is Trojan:MSIL/UmbralStealer.DG!MTB, an infostealer that can do a frightening amount of damage. Keystroke logging, webcam capture, screenshots, stolen browser credentials, cryptocurrency wallet data, and even session tokens from Discord, Telegram, Minecraft, and Roblox are all on its menu. Not exactly what you want bundled with your morning game update.
What Actually Happened, and How Fast Pan Studio Responded
According to Pan Studio's own post-incident timeline, the team became aware of the breach roughly 24 minutes after the malicious launcher patch went live. That's a tight window, and to their credit, they deployed an emergency fix patch approximately two and a half hours after first detecting the problem.
danger
If you launched Duet Night Abyss on Steam around 1:04 AM PT on March 18, you'll want to run a full antivirus scan immediately and check for any unauthorized account activity across your browsers and linked apps.Pan Studio traced the root cause to a targeted attack on their internal office systems and live servers, originating from what they described as "a specific region." The studio also noted that even after the initial breach, whoever was behind the attack continued attempting to spread both the malware and misinformation. "We strongly condemn these actions," the developer said in their full statement covered by Kotaku.
The Silver Lining (Sort Of)
Here's the thing: UmbralStealer is not a new threat. It first surfaced back in 2023, which makes it relatively ancient by malware standards. Because of that, most modern antivirus software recognized and quarantined it automatically before it could do serious damage. That's genuinely good news for the majority of players who had any kind of active security software running.
Still, "your antivirus probably caught it" is not the reassurance any studio wants to be handing out after an incident like this.
10 Free Pulls and a Sincere Apology
In classic gacha game fashion, Pan Studio's apology comes packaged with in-game compensation. Players can collect 15 total reward items through the in-game Mail function:
- 10 Prismatic Hourglasses (each equates to one free gacha pull)
- 5 copies of Commission Manual: Volume III (used to boost rewards from Covert Commissions quests)
Those rewards are available to claim until March 26 at 8:59 AM PT / 10:59 AM ET, so don't sit on this one.
"The development team sincerely apologizes for the inconvenience and concern this incident has caused to players worldwide," Pan Studio said. "We understand that apologies and compensation cannot immediately bridge the gap in trust."
That last line is doing a lot of work. Ten gacha pulls is a nice gesture, but the studio clearly knows this goes beyond a standard compensation package. The phrase "serious wake-up call" appearing in their own statement says it all.
What This Means for Live Service Security
This incident is a stark reminder that live service games, especially those pushing frequent launcher and client updates, represent a real attack surface. Players trust that patching their game won't compromise their machine. When that trust breaks, even once, the damage runs deeper than any malware scan can fix.
Pan Studio's relatively fast response time is worth acknowledging, and the transparency in their post-incident breakdown is more than some studios manage. But the questions players are now asking about how a malicious payload made it into a production build in the first place are entirely fair ones. Make sure to check out more:
