B.t.w. I discovered that at the time of the attack - shortly (seconds/minutes) before - 3 files were created in the /.electrum directory:
/.electrum/certs/guichet.centure.cc
/.electrum/certs/blackie.c3-soft.com
/.electrum/certs/btc.aftrek.org
Idk if this is normal (e.g. new servers connected) or could that have been the malicious servers?
These are Electrum server certificates that are used to encrypt your communication with them using SSL (somewhat similar to how you communicate with a website using https). All servers must have them and they send it to you so that you can encrypt/decrypt the messages with that server.
There are no known vulnerability that a "malicious" server can exploit to gain access to your keys though.