I had a strange issue with a BTC transfer. When i broadcasted a (small) transaction from my address/coin (which I marked as "spend" in the coins tab) - at the same time -  another transaction initiated with a very large amount from my other coin address in the same wallet to an unknown address and the funds were moved 1h later from there to a Binance address.

I am 99% sure I don't have any malware / viruses / keyloggers etc. (all checked multiple times, even rootkit scanners) on my (Debian/Linux) system and also the AppImage I have used many times before and after (!) that "hack" without problems and is originally from Electrum.org and GPG-verified! I also never downloaded or updated (by phishing messages etc.) any other version.

The weired thing is something just drained my second BTC address but not the other ones in the same wallet (with the same password!)

My fear is that there is a new (unkonwn) vulnerability of Electrum out that allows malicious servers to inject code as in the old JSON-RPC port vulnerability (prior to 3.0.4). A malware on my PC also would have drained all BTC addresses entirely and not just picked a single one or at least would have repeatedly tried to initiate transactions, but I have used the same electrum program and wallet and addresses after this attack without issues.

The second transaction was initiated at the same time I have entered my wallet password (to sign my TX) and hit "broadcast".

Has anoybody had a similar case?

If it was a "electrum stealer program" - how do they work exactly and what programs are known/discovered? Is the above described behaviour typical for such a software or a malicious Electrum server?