There is no server in Moscow, and I don't think there ever was. Muse Group left their original office in Kaliningrad for Cyprus pretty much the second the war started, and at this point has no offices or employees left in Russia. The servers always have been bog-standard cloud things, so Cloudflare, DigitalOcean, aws via Netlify and such.
Not good to hear they're based in Moscow, but that ship has presumably already sailed and sunk if you're running the auto-update code in an existing Audacity installation.
What other concerns besides national origin exist with this code? Nothing seems to qualify as a "back door," certainly.
Set the system language and timezone, the IP and originating ASN, to areas where APT28/APT29 is having active malware campaigns and see whether you'll receive a sample. Pretty simple.
The real question is whether they have changed their C2 behaviors since Valentine's day in 2023, and whether or not the AstraL1nvx botnet operator images are still available publicly.