Things it could still be:
1) Miner malware. It hits too many different configurations (OS's, miner versions, etc) to be in the miner itself. Perhaps a bad wallet or something, but to accomplish what they're doing, it would need to be injecting packets into your TCP stack, which while possible, is unlikely.
What we think it is:
Our best guess at the current time is a MITM attack somewhere on the internet.
I do not believe it is miner malware because it is happening with various miners on various operating systems and, for me, it is only happening when connected to Wafflepool.
I use Kalroth's 3.7.3 from
http://k-dev.net/cgminer/ on Win7, Asus router with Tomato FW and remote access disabled, and my ISP's DNS. DNS checks were always resolved correctly to Wafflepool's IP when I checked. My miner went to backup pool completely because of --failover-only and firewall blocking the [probable] stratum redirect.
You said your code didn't change. Is it possible it is a sort of malware resident in server's memory?