In my opinion it varies too greatly to be malware. Various OS's, software and routers. It's possible that if they use similar software for it to be exploited, but I'm unaware of whether they use custom or off-the shelf solutions. But MITM attacks have been very popular lately.
DNS hijacking seems unlikely, as that's a pretty massive thing to implement, and if you have that ability you're probably going after bigger fish.
As far as I know, CM and WP are the two largest profit switching pools. So who are bigger fish that I'm unaware of?
But since it can be
any network connected device that was infected and remotely controlled the mining machines, there could be a common OS between all infected
networks. I agree that it seems unlikely, but occam's razor here. The rest of the options seem
more unlikely.
In regards to DNS hijacking - if you can do that, you're probably going to go after email systems, banking or credit card, or actual websites including hosted wallets. It's like being given a space based laser and using it to open your can of tuna :-)