This analysis uncovers the expansion of a significant botnet operation, dubbed Quad7 or 7777 botnet, characterized by its unique use of TCP port 7777 on compromised routers, primarily TP-Link and Hikvision devices. The research reveals a potential second tranche of bots, the 63256 botnet, comprised mainly of infected ASUS routers, indicating an evolution of the threat actor's tactics. Over a 30-day period, 12,783 active bots were identified across both infrastructures, highlighting the botnet's substantial scale. The analysis also pinpoints seven management IP addresses associated with the botnet's operations, some previously undisclosed. The findings underscore the resilience and adaptability of this persistent threat, warranting continued vigilance and collaborative efforts to mitigate its impact.