It is not a malware on users' computers. Miners are receiving stratum redirect commands. It is most likely a form of MITM attack, but definitely not something on the user end. It is happening among multiple pools with various mining clients and operating systems.
It is not cgwatcher/cgremote related, that user on Waffle has a separate issue.
Kalroth's thoughts:
https://bitcointalk.org/index.php?topic=433634.msg5864631#msg5864631There's not much I can do other than disable the reconnect code, which several individuals already have done.
I'll do a quick update of my github and binaries soon enough.
From a quick glance, it looks like someone found a way to send a spoofed* JSON packet to stratum pools, which makes the pool send a redirect request to (some of?) its clients.
It does not look like it's a bug in the client software, merely an unfortunate feature.
*
http://en.wikipedia.org/wiki/IP_address_spoofing