The Gumblar malware, which returned in the past several weeks, appears to be neutralized for the moment. In its return, Gumblar was using compromised websites to host its malware code instead of a website owned by the person(s) behind the hack. Other websites that have been compromised by Gumblar, then have code inserted into them that causes a file, with the malware code, to be loaded from one the websites that host the malware.
Gumblar inserted backdoor scripts as part of its hack, which someone other than the original hacker could have used to change the code stored on the host websites. It is also possible that the originally hacker made the change for some unknown reason.