On the other hand the router idea isn't that likely. I am googling these two IPs (today's and yesterday's where users of Wafflepool and Multipool were redirected) and I find only coin-switching pool threads (I limit search to last 7 days only to filter out junk).

Are any of affected users using any mining-related software on anything other than their rigs and their main computer? Maybe an Android phone and some 3rd party app showing your mining stats?

Your main computer is not likely infected, as you would have your coins stolen too. I would look for something nearby, within the same local network (a smartphone fits perfectly) and something what is related to coin-switching pools (a 3rd party mining stats, a 3rd party rigs monitoring software which you found in some coin-switching thread/subreddit/community, etc). Just wild guessing based on what's known about the problem.