Remote Access Trojans (RATs) are new to me — apparently, you can get one on a Windows machine as a malware payload from fake CloudFlare DDoS alert pages on hacked WordPress sites.
Bill Toulas at BleepingComputer says additional scripts “will download the Raccoon Stealer password-stealing trojan and launch it on the device.”
Take care if you run into a site with a CloudFlare alert that seems sketchy. There’s not a lot else you can do. Toulas recommends “enabling strict script blocking settings” on your browser, which of course “will break the functionality of almost all sites.”