Well, and stop using RSA, if possible
Kleptographic attacks have been described against Diffie-Hellman, DSA, and others as well. In reality there’s nothing special about RSA in this regard: any scheme falls to this attack if the attacker has the ability to alter the key material.
I’m reading through RSA’s paper on KEGVER, a proposed “nothing up my sleeve” zero-knowledge scheme that would let a third party verify the key was safely and randomly generated. I’m not too far through it looks like part of the scheme makes use of the fact that kleptographic attacks require additional processing time, so it’s possible to detect keys that are created dishonestly.
The real risk comes with RNG attacks - if you call RDRAND and get back random numbers for P and Q, you’re in good shape… but if Intel and the NSA decided everyone gets back AES(RND | NSA-PubKey), we’re all up the creek! This is why the NSA really wants everyone to use DUAL_EC_DRBG.
AES(RND | NSA-PubKey)