That IP address (35.159.53.115) is in a subnet owned by AWS, in the eu-central-1 region. Your seed phrase must have been stolen by malware, which sent it to a script on that IP address to make the transaction. (Why would someone create a remote Desktop on a VPS just to open a browser when they can do it locally?)
To mask their IP address of course... they were most likely NOT running a remote desktop, but a proxy server to redirect their traffic and mask their real IP address. I would not be surprised if they actually used several proxy servers to bounce their connection around to try and prevent anyone from tracking them.