[__c__]

Maybe it's a dumb question and I'm probably missing something, but I don't totally understand how a remote access trojan can work: from my networking's knowledge, I have learned that a software ( such as ssh ) should have opened his access port both on the host and the router for listening to incoming connections, and this is called port forwarding. Since, from what I know, the RAT only open ports on the host, how is it possible that they work without port forwarding?

[fritz]

First, port forwarding is needed only if you're behind a router (basically when multiples hosts can share the same public IP). As you implied it's about always true for individual users then.

Although, the goal of port forwarding is only to be able to reach the infected host directly from the internet.
I don't know about specific RAT, but it's common use for any payload to use a reverse connection : basically the host isn't listening for connections, but tries to connect to your server, thus you only need to have a reachable server (with static IP or DNS) and you don't risk any port forwarding issue.

EDIT : Meaning that a RAT that doesn't need your server's address will likely not work for individual users behind routers, except if this RAT use their own server or this kind of dirty workaround