The creators of free-to-play gacha RPG Duet Night Abyss have apologised after players' PCs were infected with malware on March 18 via an update patch for the game's launcher that went live on Steam. Developer Pan Studio blamed a "malicious attack originating from a specific region, targeting our internal office systems and live servers."
Let's be real: that explanation is already raising eyebrows. This is actually the second time that Duet Night Abyss has been compromised in the last month, as another malware attack was distributed through the launcher in late February. The earlier breach was comparatively harmless, but it suggests Pan Studio's security infrastructure has been vulnerable for weeks. The question players are asking isn't just how the breach happened, but why it wasn't prevented the first time around.
The virus in question is Trojan:MSIL/UmbralStealer.DG!MTB, an infostealer virus that can record keystrokes and webcam activity, take screenshots, and steal browser-stored credentials and cryptocurrency wallet information. It can also harvest session tokens from instant-messaging apps like Discord and Telegram, along with session tokens from popular games like Minecraft and Roblox. That's serious territory. This isn't just about game accounts or cosmetic items; this is about real financial exposure.
The silver lining, if you want to call it that, is age. Umbral Stealer first appeared in 2023, which makes it quite old as far as Trojans go. Most players' antivirus software successfully quarantined the program as soon as it was detected. Plenty of users will walk away unscathed because their security tools did exactly what they're supposed to do. But that assumes they have decent antivirus protection in the first place, and that they run regular scans.
Pan Studio's response has followed the gacha game playbook to the letter: free pulls as apology. Players will get 5 copies of Commission Manual: Volume III and 10 Prismatic Hourglasses (which equate to 10 free gacha pulls), available to redeem until March 26 at 8:59 AM PT. It's a calculated move. The rewards are just valuable enough to soften player anger but cheap enough that the loss doesn't genuinely hurt the developer.
The real issue here isn't the free loot boxes or even the malware itself. It's that while the team stated that several "security enhancements" have been implemented to stop further attacks in the future, fans don't seem too convinced. Players made it clear after the February breach that security changes were needed. The fact that another breach occurred just weeks later suggests those warnings went unheeded.
This matters beyond the immediate fallout. Gaming studios that take security seriously treat breaches as existential wake-up calls. Studios that don't will simply cycle through apologies and compensation packages while the same vulnerabilities remain. For a live-service game that handles payment data and player information, that's an institutional failure, not just an external attack.
If you played Duet Night Abyss around March 18, it's worth running a full system scan with current antivirus definitions. Check your browser password manager and any cryptocurrency wallets you may have. And if you were on the fence about the game anyway, the security track record here has just given you a solid reason to skip it.