You can do without port forwarding, if you set up your RAT or bot on a dedicated server and administrate it remotely (you can connect to it through whatever - even TOR, but, given that you usually have to pay, you should think about ways to make your payments anonymous). For bots it is usually possible find cheap or even free, but subpar, web page hosting. For RATs, you have to find a Virtual Dedicated Server or dedicated server and run it from there. Microsoft Azure is the example that comes to mind, but likely not a good place for this type of activities - something like this is probably better.
Or you can just try running RATs through commonly open ports, like 80 or 443. Theoretically it might work, though maybe not with all RATs.