The fact that the NSA has implants (from the various Snowden files) that do exactly this and exfiltrate over a network should tell us that this is not so far fetched. The bulk of the data volume is only used when the capability is being exploited. It would not be so hard to send out marker of exploitability over innocuous traffic (say tweaking an HTTP header) meant to be picked up by sniffing / MotS.