This wouldn’t be conclusive since it would be pretty easy to just hide these payloads in some other traffic stream to a compromised node, which is a super common way cyberthreat command and control functions. If the user never initiates a connection to the host, the payloads just wait around so as not to generate suspicious traffic.
Obviously the threat model for advertising is a bit different, but there’s no reason someone trying to hide this functionality wouldn’t take similar steps.