Early detection and prevention of advanced persistent threats (APT) is a critical challenge in cybersecurity. This paper presents an innovative approach using dual susceptible–infected–recovered (Dual-SIR) model to predict the two-stage spread of APT malware within networks. The first SIR model addresses infections at the first stage—device and user level, serving as a precursor to server compromise. The second SIR model focuses on the second stage of propagation—server infections, where sensitive organizational data is stored. Experimental results demonstrate the effectiveness of our proposed model not only for APT malware but also for other types of malware. Our work significantly contributes to the field of cybersecurity by offering a more accurate and proactive method for predicting malware spread. Additionally, this approach has potential applications in forecasting the dissemination of malware in wireless sensor networks and the spread of malicious information on social media platforms.