Hrm, an interesting challenge.
Just spouting off the top of my head:
It would depend on how the RAT works. I'm more into webhacking, so I don't know much about this. But, if the RAT requires an exploit that happens when the user loads the page, then no, forget about it. However, if it requires the browser to get a *response* from the page, you're in business.
Do not mistake understanding for realization, and do not mistake realization for liberation1A4EAMboaXpgvUSmtRbVRqbfJrbyuGhyoo