TL;DR Yes, but it's unlikely. Just to be sure, either unplug the PC or ensure it can't connect to anything.
Several operating systems - notably Windows 10 - have the possibility of setting "automatic wakeup", using appropriate drivers and related, complicated hardware management.
As a result, IF (and that's a big if!) a malware program has gained sufficient access to have the operating system do its bidding, it has a way to simply ask the system itself to do this on its behalf.
On some systems (that the malware must be able to recognize and plan for), this holds for "true powerdown" also: additional circuitry will turn the computer on at a preselected time of the onboard Real Time Clock. In a less software-accessible manner this is available on some desktop BIOSes ("Power up automatically: [ ] Never; [ ] After power loss; [ ] Every day at a given time: :" or similar, in the BIOS setup).
Then, the system will automatically power up after some time, for example at a time when you're likely to be asleep.
So:
- there is RTC powerup hardware support, or more (integrated management systems, common on enterprise computers)
- the malware must already have taken control of the system, since RTC functions usually require administrator/root level access.
- RTC powerup HW support not present, or not used:
- if the malware has taken control of the system, it can have replaced the shutdown procedure with a mere going into sleep, and set up things to exit sleep mode at a later time.
But did either of these options happen? Probably not. Most malware rely on being run unwittingly and being able to operate without being detected for some time. The "power off simulation" is only useful in very specific scenarios (and the hardware option is only available on comparatively few systems), and I don't think it would be worthwhile for a malware writer to worry themselves with them. They usually go with the third and easiest option:
- some of the usual automatic power-up or logon sequences (autoexec, boot scripts, scheduled tasks, run services and so on) is subverted so that additional code, namely, the malware, is silently run.
For a "targeted" malware, designed with some specific victim in mind and tailored to the specific target's capabilities, rather than the subset available on the average infected machine, all the qualifications above wouldn't come into play.