So. First of all. This kind of stuff is exactly why you have a backup. Good for you.
We have not heard of this before. However, we are unaware of any exploits in Nextcloud to have remote code execution.
So if you could go trough your access logs to find out what was going on please do.
Someting that comes to mind. Are you by any chance running NGINX with our outdated config and an outdate php-fpm?