If you mean malware in the sense of viruses and trojans designed to compromise PCs, then the answer is no. IoT devices are not PCs and tend to use microcontroller CPUs (rather than Intel); even if you transferred the malware code as a MQTT payload to the device, it could not run in that environment. In addition, there is a wide variety of different architectures in use in IoT devices, often as little hardware as possible in order to make the devices cost effective.
MQTT message payloads can be anything, but are most often text, or some data representation like JSON, XML or YAML. Although you could send some executable code via MQTT, this would be a really bad design (in my view), to allow an IoT device to execute arbitrary code sent to it from an unknown external party.
